Security Policy

Threat Model Summary

SwiftyNotes is designed with a "local-first, cloud-synced" security model. Your notes are stored in your private device sandbox and synced via your own iCloud account. For pro features, metadata and subscription status are stored in our secure Supabase backend.

Data Isolation: Supabase Row Level Security (RLS) ensures only you can access your profile and usage data.
Hardened Runtime: Our native apps use macOS/iOS hardened runtime flags to prevent code injection and unauthorized memory access.
Encryption: Sync via CloudKit and Supabase uses TLS 1.3 for all transit.

Coordinated Disclosure

If you discover a security vulnerability, please let us know. We appreciate your help in keeping SwiftyNotes safe for everyone.

security@swiftynotes.app

We aim to acknowledge all reports within 3 business days and provide updates as we work on a fix.

Security Hall of Fame

No entries yet. Be the first to help us secure the future of note-taking!

Last Updated: April 22, 2026

View our security.txt