At DueSync, security is our top priority. We are committed to protecting your data and maintaining the highest security standards. This policy outlines the measures we take to keep your information safe and secure.
We employ industry-standard security practices and continuously monitor and improve our security posture to protect against evolving threats.
1. Data Security
Encryption
Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (Transport Layer Security). This ensures that your data cannot be intercepted or read by unauthorized parties.
Data at Rest: Your data is stored in encrypted PostgreSQL databases hosted on Supabase's secure infrastructure with automatic encryption at rest.
Session Security: User sessions are protected with HTTP-only secure cookies that cannot be accessed by JavaScript, preventing XSS attacks.
Authentication & Access Control
Google OAuth 2.0: We use Google's industry-standard OAuth 2.0 protocol for authentication. We never see or store your Google password.
Multi-Factor Authentication: Your account is protected by Google's security features, including 2FA if you've enabled it on your Google account.
Session Management: Sessions expire automatically after periods of inactivity to protect your account on shared devices.
Access Tokens: Google Calendar access tokens are securely stored and encrypted, with automatic refresh mechanisms to maintain security.
Authorization & Data Isolation
Row-Level Security: Your data is strictly isolated from other users using database-level security policies.
API Authentication: Every API request is authenticated and authorized to ensure you can only access your own data.
Principle of Least Privilege: We only request the minimum permissions needed from Google (email, profile, calendar access).
2. Application Security
Input Validation & Sanitization
Schema Validation: All user inputs are validated using Zod schemas to ensure data integrity and prevent malformed data.
SQL Injection Prevention: We use Prisma ORM, which automatically prevents SQL injection attacks through parameterized queries.
NextAuth provides built-in CSRF (Cross-Site Request Forgery) protection for all state-changing operations. Each form submission includes a unique CSRF token that validates the request's authenticity.
Rate Limiting
To prevent abuse and protect our services, we implement rate limiting on all API endpoints:
General API: 100 requests per minute per IP address
Authentication: 5 login attempts per 15 minutes
Calendar Sync: 50 requests per hour
Push Notifications: 10 requests per hour
Security Headers
We implement comprehensive security headers to protect against common web vulnerabilities:
Referrer-Policy: Controls information sharing with third parties
Permissions-Policy: Restricts browser features (camera, microphone, etc.)
3. Third-Party Security
Google Services
OAuth 2.0 Integration: We use Google's secure OAuth 2.0 protocol for authentication and authorization.
Calendar API: Access to your Google Calendar is limited to the specific permissions you grant. You can revoke access at any time through your Google account settings.
Token Management: Access tokens are automatically refreshed and securely stored. We never share your tokens with third parties.
Limited Scope: We only request access to your email, profile, and calendar - nothing more.
Infrastructure Partners
Supabase (Database): Our database is hosted on Supabase's SOC 2 Type II certified infrastructure with automatic backups and point-in-time recovery.
Vercel (Hosting): Our application is deployed on Vercel's secure edge network with automatic HTTPS and DDoS protection.
Email Service (Resend): Transactional emails are sent via Resend with SMTP over TLS encryption.
4. Your Security Responsibilities
Account Security Best Practices
Strong Password: Use a strong, unique password for your Google account that you use to sign in to DueSync.
Enable 2FA: Enable two-factor authentication on your Google account for an extra layer of security.
Sign Out on Shared Devices: Always sign out when using DueSync on shared or public computers.
Review Connected Apps: Periodically review connected applications in your Google account settings.
Monitor Account Activity: Check your Google account's recent activity regularly for any suspicious sign-ins.
General Security Tips
Verify URLs: Always verify you're on the correct DueSync domain before signing in.
Keep Software Updated: Keep your browser and operating system up to date with the latest security patches.
Use Secure Networks: Avoid accessing sensitive information on public Wi-Fi networks without a VPN.
Be Wary of Phishing: We will never ask for your password via email. Be cautious of suspicious emails claiming to be from DueSync.
5. Incident Response
Security Monitoring
We continuously monitor our systems for security threats and suspicious activity. Our monitoring includes:
Automated error tracking and alerting
Suspicious login attempt detection
API abuse monitoring
Database query performance and anomaly detection
Breach Notification
In the unlikely event of a data breach that affects your personal information, we will:
Notify affected users within 72 hours of discovering the breach
Provide details about what information was affected
Explain the steps we're taking to address the breach
Recommend actions you should take to protect yourself
Notify relevant regulatory authorities as required by law
Vulnerability Disclosure
We welcome reports from security researchers who discover vulnerabilities in our system. If you find a security issue, please report it responsibly:
Security Contact: security@wiktechnologies.com
Response Time: We aim to respond within 48 hours
Please do not disclose vulnerabilities publicly until we've had a chance to address them. We follow a 90-day responsible disclosure timeline.
6. Compliance & Certifications
Regulatory Compliance
GDPR (General Data Protection Regulation): We comply with GDPR requirements for users in the European Union, including data portability, right to deletion, and consent management.
CCPA (California Consumer Privacy Act): We respect the privacy rights of California residents, including the right to know, delete, and opt-out of data sales.
Google API Services: We comply with Google's API Services User Data Policy, including the Limited Use requirements.
Industry Standards
OWASP Top 10: We follow OWASP (Open Web Application Security Project) guidelines to protect against the most critical web application security risks.
Regular Security Audits: We conduct regular security audits and penetration testing to identify and address vulnerabilities.
Secure Development Lifecycle: Security is integrated into every stage of our development process, from design to deployment.
7. Security Updates & Maintenance
Dependency Management
Regular Updates: We regularly update all software dependencies to include the latest security patches.
Automated Security Audits: We use automated tools to scan for known vulnerabilities in our dependencies.
Rapid Patching: Critical security vulnerabilities are patched within 24-48 hours of discovery.
Continuous Improvement
Security is an ongoing process. We continuously improve our security measures by:
Monitoring the latest security threats and vulnerabilities
Implementing new security technologies and best practices
Learning from security incidents in our industry
Gathering feedback from security researchers and users
Conducting regular security training for our team
8. Contact Us
If you have any questions or concerns about our security practices, please contact us:
Security Issues: security@wiktechnologies.com
General Support: infoduesync@wiktechnologies.com
Response Time: We aim to respond to all security inquiries within 48 hours
9. Related Policies
For more information about how we handle your data, please review our other policies:
This Security Policy was last updated on December 2025. We may update this policy from time to time. Significant changes will be communicated to users via email or in-app notifications.