Selmi

Security & Trust Center

Your data security is our top priority. Learn how we protect your information.

AES-256 Encryption
AWS Infrastructure
Privacy-First Design
Active

Data Encryption

All data encrypted at rest with AES-256 and in transit with TLS 1.2+

Active

Secure Infrastructure

Hosted on AWS with SOC 2 Type II certified infrastructure

Active

Privacy by Design

Built with privacy-first principles aligned with GDPR and CCPA

Active

Access Controls

Role-based access control with optional two-factor authentication

Active

Security Monitoring

Automated monitoring with alerting for security events

Active

Regular Backups

Automated encrypted backups with 35-day point-in-time recovery

Our Security Practices

Data Encryption

We use industry-standard encryption to protect your data at every stage:

  • At Rest: AES-256 encryption for all data stored in our databases (DynamoDB) and file storage (S3)
  • In Transit: TLS 1.2+ encryption for all data transmitted between your device and our servers
  • Backups: All backup data is encrypted with AWS-managed keys

Infrastructure Security

Selmi is hosted on Amazon Web Services (AWS), a SOC 2 Type II certified cloud provider:

  • Data Location: US East (N. Virginia) region
  • Serverless Architecture: AWS Lambda with automatic scaling and isolation
  • DDoS Protection: CloudFront CDN with AWS Shield Standard protection
  • Network Security: API Gateway with rate limiting and geo-restrictions

Access Controls

We implement access controls to help prevent unauthorized access:

  • Two-Factor Authentication: Optional MFA available for all user accounts
  • Role-Based Access: Permissions based on subscription tier and user role
  • Password Requirements: Minimum 8 characters with uppercase, lowercase, and numbers
  • Session Management: Short-lived access tokens with secure refresh mechanism
  • Brute Force Protection: Account lockout after repeated failed login attempts

API Security

Our APIs are designed with security best practices:

  • Rate Limiting: Tiered rate limits to protect against abuse
  • Input Validation: All inputs validated and sanitized to prevent injection attacks
  • Authentication: JWT-based authentication with short-lived tokens
  • CORS Protection: Cross-origin requests restricted to authorized domains

Privacy & Compliance

We design our systems with privacy regulations in mind:

  • GDPR Principles: Designed to support EU data protection requirements including data portability and deletion
  • CCPA Principles: Designed to support California privacy rights including data access and opt-out
  • Data Minimization: We collect only the data necessary to provide our service
  • User Control: You can export or delete your data at any time from your account settings

Security Monitoring

We maintain visibility into our systems to detect and respond to issues:

  • Automated Monitoring: CloudWatch monitoring with alerts for anomalies and errors
  • Logging: Security-relevant events are logged for investigation
  • Incident Response: Defined process for investigating and responding to security events
  • Breach Notification: We will notify affected users promptly in the event of a data breach

Third-Party Service Providers

We work with trusted third-party service providers to deliver our service. These providers process data on our behalf:

Service ProviderPurposeLocation
Amazon Web ServicesCloud hosting, database, storage, emailUnited States
StripePayment processingUnited States
AppleApple Wallet pass deliveryUnited States
GoogleGoogle Wallet pass deliveryUnited States

Report a Security Issue

If you discover a security vulnerability, please report it to us responsibly.

Contact Us

Security Issues:security@selmi.app
Privacy Questions:privacy@selmi.app
General Support:support@selmi.app

We appreciate responsible disclosure and will work to address verified vulnerabilities promptly.

Last updated: February 2026