lg.05Updated 22 May 2026
Security
We take security seriously, but we'd rather under-promise and ship than over-claim. This page describes what is actually in place today, and what is on the roadmap.
What is in place today
- Transport: TLS, terminated at Cloudflare in front of the service.
- At rest: provider-level disk encryption on the volumes our Postgres database and object storage live on.
- Auth: passwordless. Magic links are random 32-byte tokens, hashed at rest, valid for 15 minutes, single-use. Self-hosted instances can additionally use OIDC against any provider you choose (Authentik, Keycloak, Authelia, Pocket ID). Hosted accounts can additionally use Sign in with Google or Sign in with Apple.
- Sessions: a signed JWT carried in the HTTP
Authorizationheader — not a cookie. Tokens are held in the device's secure storage and cleared on sign-out. - Receipt access: receipts in object storage are served through an authenticated proxy route; the backend re-checks group membership on every request. Object URLs are never handed out to the client.
- Money math: int64 minor units, decimal strings on the wire. Floats are forbidden.
- Production access: limited to the on-call engineer. SSH keys only, no shared accounts.
What we don't do
- We don't process payments. We won't ever ask for card data.
- We don't load third-party analytics, advertising, or chat widgets on app pages.
- We don't keep raw email content. Outbound mail is transactional; there is no marketing pipeline.
- We don't store contacts, location, or advertising identifiers.
On the roadmap (not in place yet)
We want to be straight about what we are still working on:
- HSTS preload, CSP, X-Frame-Options, X-Content-Type-Options — none of these are sent by the application server yet. Cloudflare handles some of this at the edge.
- Dependency vulnerability scanning in CI (
govulncheck, Dependabot). - Automatic 30-day rotation of request logs.
- Short-TTL presigned download URLs for receipts as an alternative to the proxy route.
- Documented restore-test cadence for backups.
- In-app account deletion and data export. Currently handled by email to
privacy@dowtech.dev.
This list is intentionally public. If something here matters to you, let us know — it sharpens prioritisation.
Self-host security notes
If you self-host, your security is your call. Some things worth doing:
- Put the app behind a reverse proxy with TLS (Caddy is the obvious pick).
- Use a real OIDC provider — Authentik, Keycloak, Authelia, Pocket ID. Don't roll your own auth.
- Restrict the Postgres port to localhost or your private network.
- Rotate the JWT signing secret regularly; back up
./dataregularly. - If you turn on the Gemini receipt OCR feature, remember that receipt images leave your server and go to Google. The feature is off by default.
Responsible disclosure
If you find a vulnerability, please email security@dowtech.dev. We aim to respond within 72 hours. We don't run a paid bug bounty yet, but we credit reporters in the changelog with permission. Please don't open public GitHub issues for security findings.
Chara · Stockholm
