Security & Privacy Policy
Review the core encryption protocols, access controls, and design models keeping your safety data protected.
01 / Privacy Architecture
Abhayastra isolates location logs client-side in an offline database. Telemetry updates and location logs are never synced during normal conditions. Only when an emergency trigger is registered will coordinates be uploaded and relayed through our ephemeral WebSocket routers.
02 / Authentication Protocols
We use hardware-backed WebAuthn (Passkeys) for secure, passwordless authentication on browser dashboards. For the mobile client application, access is locked behind system-level biometric prompts (fingerprint/face verification). Local database decryption keys are derived on-the-fly using Argon2id derived from the user PIN, leaving zero permanent key tracks on flash storage.
03 / AES-256 & TLS 1.3 Standards
All data in transit is encrypted using **TLS 1.3**, enforcing modern cipher suites (such as AES-GCM and CHACHA20-POLY1305) and disabling vulnerable older versions. Evidence vault media blocks are encrypted client-side using **AES-256-GCM** before upload, ensuring that even under database server compromise, stored evidence remains unreadable by vendors.
04 / Permission-Based Access
Only designated safety guardians containing verified key shares can fetch coordinates or view video feeds during active SOS states. Guardians are configured by the user beforehand. Access privileges expire automatically after the incident is resolved or the configured grace duration lapses.
05 / Android Platform Constraints
To provide continuous protection, the native app relies on specific platform privileges:
- •ACCESS_BACKGROUND_LOCATION: Permits coordinate polling when screen is locked.
- •FOREGROUND_SERVICE_LOCATION: Alerts the OS that location polling is a critical system service.
- •CAMERA & RECORD_AUDIO: Silently activates cameras and mics to capture incident logs.
06 / Security Researcher Disclosure
We value the security researcher community. If you locate a vulnerability inside our signaling routers, encryption models, or Android client apps, please submit a report. We review all reports within 48 hours and coordinate patch releases. For details, read our Responsible Disclosure Policy.