Security

Protecting your data is one of our highest priorities. Your household information — expenses, schedules, personal details — is sensitive by nature, and we take our responsibility to safeguard it seriously. This page outlines the technical, organizational, and procedural measures we take to keep your data secure.

Our Commitment

Security is not a feature we bolt on — it's a core principle embedded in every decision we make. From the architecture of our infrastructure to the code we write, we design with security in mind. Our commitment includes:

• Security by Design: Every feature and system change is evaluated for security implications before deployment.
• Continuous Improvement: We regularly review and enhance our security practices to address emerging threats and adopt industry best practices.
• Transparency: We believe you have the right to know how we protect your data. This page is our way of being open about our security posture.
• Minimum Access: We follow the principle of least privilege — our team members only have access to the data and systems necessary for their roles.

Infrastructure

Our infrastructure is built on industry-leading cloud platforms with robust security controls:

• Encrypted in Transit: All data transmitted between your device and our servers is protected using TLS (Transport Layer Security) encryption. This means your information cannot be intercepted or read by third parties while in transit.
• Encrypted at Rest: All data stored on our servers is encrypted using AES-256 encryption. Even in the unlikely event that physical storage is compromised, your data remains unreadable.
• Secure Cloud Hosting: We host our infrastructure on reputable cloud platforms that maintain SOC 2 Type II compliance and undergo regular third-party security audits.
• Network Security: Our servers are protected by firewalls, intrusion detection systems, and network segmentation to prevent unauthorized access.
• Redundancy & Backups: Our infrastructure is designed for high availability with automated failover and geographically distributed backups.

Authentication

We implement strong authentication mechanisms to protect access to your account:

• Bcrypt Password Hashing: Your password is never stored in plain text. We hash all passwords using bcrypt with a high-cost factor, making it computationally infeasible for attackers to recover your password even if the hashed data were compromised.
• Session Management: Sessions are managed using secure, randomly generated tokens with configurable expiration. Sessions are invalidated on logout and after periods of inactivity.
• API Token Security: All API requests are authenticated using secure tokens transmitted over encrypted connections. Tokens have limited lifespans and can be revoked at any time.
• Brute Force Protection: We implement rate limiting and account lockout mechanisms to prevent automated attacks against user accounts.
• Cross-Site Protection: We protect against cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks through industry-standard mitigations.

Payment Security

We take extra care with your financial information:

• Stripe Handles Everything: All payment card data is processed by Stripe, a PCI DSS Level 1 certified payment processor. Stripe is the most stringent level of certification available in the payments industry.
• We Never Store Card Details: Roost never sees, touches, or stores your full credit card number, CVV, or bank account details. We only receive a secure token from Stripe that represents your payment method.
• PCI DSS Compliant: Because we use Stripe to handle all payment data, our integration is PCI DSS compliant by design. We undergo regular assessments to ensure ongoing compliance.
• Secure Billing Pages: Any page on Roost that involves billing or payment information is served over HTTPS and uses Stripe Elements for secure, embedded payment forms.

Data Protection

Beyond encryption and access controls, we maintain comprehensive data protection practices:

• Regular Backups: We perform automated, encrypted backups of all user data at regular intervals. Backups are stored in geographically separate locations and are tested periodically for recoverability.
• Access Controls: Access to production systems and user data is strictly controlled through role-based permissions, multi-factor authentication, and detailed audit logging.
• Audit Logs: We maintain comprehensive logs of administrative actions, authentication events, and data access. These logs are reviewed regularly and retained for incident investigation.
• Vulnerability Management: We conduct regular vulnerability scans and penetration testing to identify and address potential security weaknesses before they can be exploited.
• Incident Response: We maintain an incident response plan that outlines procedures for detecting, containing, and resolving security incidents, including notification of affected users.
• Employee Training: All team members receive regular security awareness training and are required to follow our information security policies.

Responsible Disclosure

We value the security research community and are committed to working with researchers who discover vulnerabilities in our systems. If you believe you have found a security issue, we ask that you:

• Report Responsibly: Send details of the vulnerability to security@roost.app. Please include enough information to reproduce the issue, along with any relevant proof-of-concept.
• Allow Time to Fix: Give us a reasonable amount of time to investigate and address the issue before disclosing it publicly. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 7 days.
• Avoid Harm: Do not access, modify, or delete other users' data. Do not degrade service availability. Limit your testing to the minimum necessary to demonstrate the vulnerability.
• Stay in Scope: Our responsible disclosure program covers Roost's web application, API, and mobile applications. Social engineering, physical attacks, and denial-of-service attacks are out of scope.

We appreciate responsible disclosure and will not pursue legal action against researchers who follow these guidelines. We're happy to credit researchers in our security acknowledgments (with your permission).

Security Best Practices for Users

Security is a shared responsibility. Here's what you can do to help keep your account safe:

• Use a Strong Password: Choose a unique password that is at least 12 characters long and includes a mix of letters, numbers, and symbols. Consider using a password manager to generate and store strong passwords.
• Don't Share Credentials: Never share your Roost password or login credentials with anyone. Each member of your household should have their own account.
• Enable Screen Lock: Use a PIN, passcode, or biometric lock on all devices you use to access Roost. This prevents unauthorized access if your device is lost or stolen.
• Log Out on Shared Devices: If you access Roost on a public or shared computer, always log out when you're finished and clear the browser's cookies.
• Keep Software Updated: Ensure your operating system, browser, and apps are up to date. Security patches protect against known vulnerabilities.
• Report Suspicious Activity: If you notice anything unusual with your account — unexpected changes, unfamiliar logins, or suspicious messages — contact us immediately at security@roost.app.

Contact Us

If you have questions about our security practices or wish to report a security concern, please reach out:

• Security Inquiries: security@roost.app
• Vulnerability Reports: security@roost.app
• General Inquiries: hello@roost.app

We take every report seriously and will respond as quickly as possible.