Security Practices

Security Architecture

Our security model is built on several core principles that work together to protect your data and privacy:

Zero Knowledge by Design

We can't access your data even if we wanted to because it never reaches our servers:

• Local Processing: All cryptographic operations happen on your device
• Client-Side Encryption: Data is encrypted before it leaves your device (if it ever does)
• No Server-Side Secrets: We don't store encryption keys, passwords, or personal data
• Verifiable Security: Our open source code can be audited by security researchers

Cryptographic Standards

We use only proven, military-grade cryptographic algorithms and implementations:

Encryption Algorithms

Secure Random Generation

All cryptographic keys and random values are generated using:

• Operating system cryptographically secure random number generators
• Hardware security modules where available
• Multiple entropy sources combined with CSPRNG
• Regular entropy pool monitoring and health checks

Application-Specific Security

Each of our applications implements security measures tailored to its specific use case:

Split/Pass - Password Manager

• Shamir's Secret Sharing: Passwords split into 3 cryptographic shards
• Threshold Cryptography: Minimum 2 shards required for reconstruction
• Zero Knowledge: We never see your master password or vault contents
• Secure Storage: Encrypted with device-specific keys
• NFC Security: Encrypted transmission to NFC tags

Money - Finance Manager

• Local Database Encryption: All financial data encrypted at rest
• API Key Protection: Cryptocurrency API keys never stored in plaintext
• Transaction Privacy: No transaction data sent to our servers
• Secure Communication: HTTPS with certificate pinning for external APIs

Clonara - AI Personality

• Local AI Processing: All AI computations happen on-device
• Memory Encryption: Conversation data encrypted in memory
• Secure Deletion: Cryptographic erasure of sensitive data
• Model Security: AI models validated and signed

Nutriva - Nutrition Analysis

• Image Processing: All photo analysis happens locally
• Data Privacy: No food photos or dietary data uploaded
• Secure Storage: Nutrition history encrypted on device
• Model Integrity: AI nutrition models cryptographically verified

Development Security

Security starts in our development process and continues through deployment:

Secure Development Lifecycle

• Threat Modeling: Every feature analyzed for security implications
• Security Reviews: All code reviewed by security-focused developers
• Static Analysis: Automated security scanning in CI/CD pipeline
• Dependency Scanning: Third-party libraries monitored for vulnerabilities
• Penetration Testing: Regular third-party security assessments

Code Security

• Memory Safety: Use of memory-safe languages where possible
• Input Validation: All user inputs validated and sanitized
• Secure Defaults: Most restrictive settings enabled by default
• Error Handling: No sensitive information leaked in error messages
• Code Obfuscation: Protection against reverse engineering

Infrastructure Security

Even though we minimize infrastructure, what we do operate follows strict security standards:

Website and Distribution

• HTTPS Everywhere: TLS 1.3 with perfect forward secrecy
• HSTS Headers: HTTP Strict Transport Security enforced
• CSP Headers: Content Security Policy prevents XSS
• Subresource Integrity: External resources cryptographically verified
• No Tracking: Zero analytics or tracking scripts

Application Distribution

• Code Signing: All applications cryptographically signed
• Reproducible Builds: Build process verifiable and repeatable
• Hash Verification: SHA-256 hashes provided for all downloads
• Official Channels: Apps distributed only through verified stores

Security Audits

We believe in transparency and third-party verification of our security claims:

External Audits

• Annual Security Audits: Comprehensive third-party security assessments
• Cryptographic Review: Our encryption implementations professionally audited
• Penetration Testing: Regular ethical hacking assessments
• Open Source Audits: Community security researchers welcome

Internal Security Measures

• Security Training: All developers trained in secure coding practices
• Regular Updates: Dependencies and systems kept current
• Incident Response: Prepared procedures for security incidents
• Monitoring: Continuous security monitoring and alerting

Responsible Disclosure Program

We welcome security researchers and offer a responsible disclosure program:

Scope

Our responsible disclosure program covers:

• All Satoshi Ltd. mobile applications
• Our website (satoshi-ltd.com)
• Open source repositories
• Distribution infrastructure

Guidelines

• Private Disclosure: Report vulnerabilities privately before public disclosure
• Good Faith: Don't access or modify user data during research
• No Disruption: Avoid degrading our services or user experience
• Legal Boundaries: Stay within legal boundaries when testing

Rewards

While we're a small company, we offer:

• Public recognition (with your permission)
• Free access to our premium applications
• Monetary rewards for critical vulnerabilities (case-by-case basis)
• Direct communication with our development team

Reporting Security Issues

Found a security vulnerability? Here's how to report it:

What to Include

• Vulnerability Description: Clear explanation of the issue
• Affected Systems: Which applications or services are vulnerable
• Reproduction Steps: Detailed steps to reproduce the vulnerability
• Impact Assessment: Your assessment of the security impact
• Suggested Fix: If you have ideas for mitigation

Security Incident Response

In the unlikely event of a security incident, we have procedures in place:

Response Timeline

• 0-1 hours: Initial assessment and containment
• 1-6 hours: Full impact analysis and mitigation planning
• 6-24 hours: Implementation of fixes and user notification
• 24-72 hours: Post-incident analysis and documentation

Communication

• Transparency: We will be transparent about any incidents
• Timely Updates: Regular status updates during incidents
• Technical Details: Full technical disclosure after resolution
• Lessons Learned: Public post-mortems to improve security

User Security Recommendations

While we build secure applications, your security also depends on your practices:

Device Security

• Keep Updated: Always use the latest OS and app versions
• Screen Lock: Use strong device authentication (PIN, biometrics)
• App Permissions: Review and limit application permissions
• Avoid Jailbreaking: Don't compromise your device's security model

Data Protection

• Regular Backups: Backup your data regularly and securely
• Strong Passwords: Use unique, strong passwords for all accounts
• Two-Factor Authentication: Enable 2FA where available
• Network Security: Avoid public WiFi for sensitive operations

Compliance and Standards

We align with international security standards and best practices:

Standards Compliance

• NIST Cybersecurity Framework: Following NIST guidelines
• OWASP Top 10: Protection against common vulnerabilities
• ISO 27001: Information security management principles
• FIPS 140-2: Cryptographic module standards

Privacy Regulations

• GDPR Compliance: European data protection requirements
• CCPA Compliance: California consumer privacy protections
• Hong Kong PDPO: Local privacy ordinance compliance

Security Contact

For all security-related inquiries: