Built like the bar is loaded.

We treat security as a product feature. Every change to authentication, storage, or payment code is reviewed by at least two engineers, tested against a threat model, and shipped behind an incremental rollout.

We apply the principle of least privilege across engineering, infrastructure, and vendor relationships: access is scoped, logged, and reviewed quarterly.

In Transit

All traffic between the app, the website, and our API is encrypted with TLS 1.3. HSTS is enforced on every Overload domain with a one-year max-age.

At Rest

Databases, object storage (progress photos, exports), and backups are encrypted with AES-256. Keys are managed through AWS KMS with automatic annual rotation.

On Device

The iOS app stores credentials and tokens in the iOS Keychain (hardware-backed where available). Cached training data is stored in an encrypted, app-sandboxed database.

Overload is hosted on AWS, with primary regions in us-east-1 (Virginia) and eu-central-1 (Frankfurt). We use managed services (RDS, S3, KMS) so we can focus on product and depend on AWS’s physical and perimeter controls.

• Isolated VPCs with private subnets for application and database tiers.
• Automated daily backups with point-in-time recovery for 35 days.
• Infrastructure defined as code — every change is reviewed and audited in Git.

• Engineering access requires SSO with hardware-key-backed 2FA.
• No one has standing production database access. Break-glass access is short-lived and audit-logged.
• Vendors are scoped to the minimum data required and bound by DPAs.
• Employee access is reviewed quarterly and revoked on offboarding the same day.

You can sign in with Sign in with Apple, Google, or email + password. Passwords are hashed with argon2id and never stored in plaintext.

Sessions are short-lived JWTs rotated on every refresh. Suspicious login patterns (new device, new country) trigger an email notification and an optional re-auth requirement.

On-device biometrics (Face ID, Touch ID) can be enabled in Settings to require a second factor before opening the app.

We collect only what the product needs. We do not collect precise location, contact lists, or health records from HealthKit unless you explicitly opt in. Analytics events are IP-anonymized at ingestion and we do not sync advertising identifiers.

We run 24/7 automated monitoring on availability, error rates, and authentication anomalies. A rotating on-call engineer is paged for incidents above defined severity.

If we confirm a security incident that affects your personal data, we will notify you without undue delay — and in any event within 72 hours where required by GDPR or similar regulation.

If you believe you’ve found a vulnerability, please report it to security@overload.app. We investigate every report and will respond within 2 business days.

Please do not:

• Access data that does not belong to your own account.
• Run denial-of-service or brute-force attacks.
• Publicly disclose an issue before we’ve had a chance to fix it.

We credit researchers who follow responsible disclosure and we’re building a formal bug-bounty program — email us to be notified when it launches.

• Use a unique, long passphrase or a password manager.
• Turn on biometric unlock for the app.
• Keep iOS up to date — we follow the two most recent major versions.
• Review active sessions in Settings → Security and sign out devices you no longer use.
• Enable login notifications so a new sign-in on an unfamiliar device lands in your inbox.

We align our controls to industry frameworks and run third-party audits:

• SOC 2 Type II — audit in progress, report expected Q3 2026.
• GDPR / UK GDPR — processes and DPAs in place, Data Protection Officer appointed.
• CCPA / CPRA — California residents can exercise rights at privacy@overload.app.

Current audit reports and security questionnaires are available to enterprise customers under NDA.

Security questions, vulnerability reports, or audit requests — security@overload.app. Our PGP key is available on request.