Last updated: December 30, 2025

Security at Circadia

Your mental health data deserves the strongest protection. Here's how we keep it safe.

Security Overview

Your data is yours. We can't read it, sell it, or share it—because we never have access to it.

Circadia is built on a zero-knowledge architecture. This means all your sensitive health data is encrypted on your device before it ever leaves, using keys that only you control. Our servers store encrypted data that we cannot decrypt.

End-to-End Encrypted

All data encrypted client-side

Zero Knowledge

We can't see your data

You Hold the Keys

Only you can decrypt

Zero-Knowledge Design

Zero-knowledge means we've architected the system so that we cannot access your unencrypted data—not “won't” but can't. This is a fundamental design principle, not a policy choice.

What We Can See

  • Your email address (for account recovery and notifications)
  • Encrypted data blobs (meaningless without your keys)
  • Metadata needed for sync (timestamps, data sizes)
  • Subscription status and billing information

What We Can't See

  • Your mood entries, episode states, or symptoms
  • Your journal entries, thoughts, or reflections
  • Your medications, dosages, or adherence data
  • Your sleep data, health metrics, or patterns
  • Any personal health information you track

Even if compelled by law enforcement, we cannot provide your health data because we don't have the keys to decrypt it.

Encryption Architecture

Circadia uses a multi-layer key hierarchy with industry-standard cryptographic algorithms:

Key Hierarchy

Master Password (user input)
↓ Argon2id (m=64MB, t=3, p=4)
Key Encryption Key (KEK)
↓ Encrypts
Data Encryption Key (DEK)
↓ AES-256-GCM
Your Encrypted Data

Cryptographic Standards

PurposeAlgorithmDetails
Key DerivationArgon2idm=64MB, t=3 iterations, p=4 parallelism
Data EncryptionAES-256-GCM256-bit keys, authenticated encryption
Key WrappingAES-256-KWRFC 3394 key wrap
Random GenerationCSPRNGPlatform secure random (SecRandomCopyBytes)
Key StorageSecure EnclaveHardware-backed on supported devices

Recovery Mechanism

During account setup, you receive a 24-word recovery phrase (BIP39 mnemonic). This phrase can regenerate your KEK if you lose access to all devices. We do not store this phrase—if you lose it and all authenticated devices, your data cannot be recovered.

Authentication Security

Passkeys (Primary)

Circadia uses passkeys (WebAuthn/FIDO2) as the primary authentication method. Passkeys provide:

  • Phishing resistance—credentials are bound to the specific domain
  • No password to remember, forget, or have stolen
  • Hardware-backed security on modern devices
  • Biometric confirmation (Face ID, Touch ID, Windows Hello)

Magic Links (Fallback)

For devices or situations where passkeys aren't available, we offer magic link authentication:

  • Single-use links sent to your verified email
  • 15-minute expiration window
  • Rate-limited to prevent abuse (max 5 per hour)

Session Security

  • Access tokens: 1-hour expiration, JWT format
  • Refresh tokens: 30-day expiration, secure rotation
  • Device limits: Maximum 5 concurrent sessions
  • Remote logout: Revoke any device from settings

App Security Features

Biometric Protection

The app requires biometric authentication (Face ID, Touch ID, or device passcode) to access your data, even on an already-unlocked device.

Auto-Lock

  • Configurable timeout (default: 5 minutes)
  • Locks when app goes to background
  • Requires re-authentication on return

Screenshot Prevention

Sensitive screens display a blur overlay during screenshots and screen recordings to prevent accidental exposure of your data.

Secure Data Storage

  • iOS/watchOS: Keychain with Secure Enclave, SwiftData with encryption
  • Web: IndexedDB with client-side encryption, no plaintext storage

Jailbreak/Root Detection

The app detects compromised devices and provides warnings, with graceful degradation of security-sensitive features on rooted/jailbroken devices.

Network Security

Transport Security

  • TLS 1.3: All connections use modern TLS with forward secrecy
  • Certificate Pinning: Mobile apps pin our SSL certificate
  • HSTS: HTTP Strict Transport Security enforced
  • No HTTP: All traffic is HTTPS, no fallback

API Security

  • Rate Limiting: 60 requests/minute for sync, 5 login attempts/5 minutes
  • Input Validation: All inputs validated with Zod schemas
  • CORS: Strict origin validation

Infrastructure Security

Cloud Infrastructure

  • Cloudflare Workers: Edge computing for low-latency, globally distributed API
  • Neon PostgreSQL: Serverless database with encryption at rest
  • Cloudflare R2: Object storage for encrypted file uploads
  • Durable Objects: Real-time sync coordination

Data Residency

Your encrypted data is stored in data centers within your selected region. We support data residency preferences for users in the EU, US, and other regions.

Backups

  • Automated daily backups with 30-day retention
  • Backups are encrypted at rest (same zero-knowledge guarantee)
  • Point-in-time recovery available

Our Security Practices

Development Security

  • Code review required for all changes
  • Automated security scanning in CI/CD pipeline
  • Dependency vulnerability monitoring
  • Secrets management with environment isolation

Operational Security

  • Principle of least privilege for all access
  • Multi-factor authentication for all team members
  • Audit logging for administrative actions
  • Incident response procedures documented and tested

Compliance

While Circadia is not a medical device and not subject to HIPAA, we follow security best practices that align with healthcare data protection standards. Our zero-knowledge architecture exceeds typical compliance requirements by ensuring we cannot access protected health information.

Responsible Disclosure

We value the security community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to us privately.

How to Report

Email: security@circadia-app.dev

Please include: description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code.

Our Commitment

  • Acknowledge receipt within 24 hours
  • Provide initial assessment within 72 hours
  • Keep you informed of remediation progress
  • Credit researchers who report valid issues (with permission)
  • No legal action against good-faith security researchers

Scope

The following are in scope for security research:

  • circadia-app.dev and api.circadia-app.dev
  • iOS, watchOS, and iPadOS applications
  • Authentication and authorization systems
  • Encryption implementation

Out of Scope

Social engineering, physical attacks, denial of service, attacks on third-party services, and attacks requiring physical device access are out of scope.

Security Contact

For security-related inquiries, concerns, or to report a vulnerability:

Security Reports

security@circadia-app.dev

For vulnerability reports and security issues

Privacy Inquiries

privacy@circadia-app.dev

For privacy-related questions

For urgent security matters, please include “URGENT” in your email subject line.

Related Documents

Privacy PolicyTerms of ServiceContact Us

If you're in crisis or need immediate support, please reach out:

988 Suicide & Crisis LifelineCrisis Text Line
Get Started Free