Security

Last updated: January 28, 2026

Our Approach

Security is not a feature—it's foundational. We've designed Simplest1 with security as a core principle, not an afterthought.

Data Isolation

Every tenant's data lives in its own isolated SQLite database. This architecture means:

No data leakage between customers is possible at the database level.
A vulnerability in one tenant cannot expose another tenant's data.
Your data can be exported or deleted completely and independently.

Encryption

In transit: All connections use TLS 1.3.
At rest: Database backups are encrypted.
Passwords: We use magic links—no passwords to steal or leak.

Authentication

We use passwordless authentication via magic links:

No passwords to remember, reuse, or have stolen.
Magic links expire after 15 minutes.
Each link can only be used once.
Sessions expire after 24 hours of inactivity.

Infrastructure

Hosted on hardened cloud infrastructure.
Regular security patches and updates.
DDoS protection enabled.
Firewall rules restricting unnecessary access.

Application Security

CSRF protection: All forms protected with tokens.
XSS prevention: All output is escaped by default.
SQL injection: Parameterized queries throughout.
Security headers: CSP, X-Frame-Options, and more.
Rate limiting: Protection against brute force attacks.

Backups

Continuous streaming backups using Litestream.
Point-in-time recovery capability.
Backups stored in geographically separate locations.
Regular backup restoration tests.

Incident Response

In the event of a security incident:

We will notify affected users within 72 hours.
We will provide a clear description of what happened.
We will explain what data was affected.
We will describe the steps we're taking to prevent recurrence.

Responsible Disclosure

If you discover a security vulnerability, please report it to [email protected]. We appreciate responsible disclosure and will acknowledge your report within 48 hours.

Questions

Security questions or concerns? Contact us at [email protected].