Rowan LogoRowan
Back to Home

Security

Your family's data deserves the highest level of protection

Our Security Commitment

At Rowan, security isn't an afterthought—it's built into every aspect of our platform. We understand that you're trusting us with your family's most personal information, and we take that responsibility seriously.

Data Encryption

Encryption in Transit

All data transmitted between your device and our servers is protected using:

  • TLS 1.3: The latest and most secure transport layer security protocol
  • HTTPS Everywhere: Every connection to Rowan is encrypted, with no exceptions
  • Perfect Forward Secrecy: Even if encryption keys are compromised, past communications remain secure
  • Certificate Pinning: Prevents man-in-the-middle attacks

Encryption at Rest

Your data is encrypted when stored on our servers:

  • AES-256 Encryption: Military-grade encryption for all stored data
  • Database Encryption: Multiple layers of encryption at the database level
  • Encrypted Backups: All backups are fully encrypted
  • Secure Key Management: Encryption keys are stored separately from data and rotated regularly

Password Protection

  • bcrypt Hashing: Passwords are hashed using industry-standard bcrypt with salt
  • Never Stored in Plain Text: We can't see your password and never will
  • Secure Password Reset: Time-limited, single-use tokens for password recovery

Infrastructure Security

Hosting and Cloud Security

  • Tier-1 Cloud Provider: Hosted on enterprise-grade infrastructure with 99.9% uptime SLA
  • Isolated Environments: Production, staging, and development environments are completely separate
  • Distributed Architecture: Redundant systems across multiple availability zones
  • DDoS Protection: Advanced protection against distributed denial-of-service attacks
  • Web Application Firewall: Filters malicious traffic before it reaches our application

Network Security

  • Private Networks: Database and internal services not accessible from the internet
  • IP Whitelisting: Restricted access to administrative functions
  • Intrusion Detection: 24/7 monitoring for suspicious activity
  • Security Groups: Strict firewall rules limiting service communication

Data Backups

  • Automated Backups: Daily encrypted backups of all data
  • Geographic Redundancy: Backups stored in multiple regions
  • Point-in-Time Recovery: Ability to restore data to any point in the last 30 days
  • Tested Recovery: Regular disaster recovery drills

Access Controls

User Authentication

  • Multi-Factor Authentication (MFA): Available for all accounts (coming soon: required for all users)
  • Session Management: Secure session tokens with automatic expiration
  • Login Monitoring: Alerts for suspicious login attempts or new device access
  • Forced Logout: Ability to remotely sign out of all sessions

Employee Access

  • Principle of Least Privilege: Employees only have access to data necessary for their role
  • Zero Standing Privileges: No permanent admin access; all elevated access is temporary and logged
  • Background Checks: All employees undergo security screening
  • Security Training: Regular security awareness training for all team members
  • Access Logging: Every access to production systems is logged and audited

Space Permissions

  • Role-Based Access: Space owners control who can view and edit content
  • Invitation Only: New members can only join via secure invitation
  • Granular Permissions: Control access to specific features and data
  • Audit Logs: Track who accessed or modified content

Monitoring and Response

Security Monitoring

  • 24/7 Monitoring: Continuous automated monitoring of all systems
  • Anomaly Detection: AI-powered detection of unusual behavior
  • Real-Time Alerts: Immediate notification of potential security incidents
  • Log Analysis: Comprehensive logging and analysis of all system activity

Incident Response

  • Response Team: Dedicated security incident response team
  • Response Plan: Documented procedures for handling security incidents
  • User Notification: Prompt notification of any breach affecting your data
  • Post-Incident Review: Analysis and improvements after every incident

Vulnerability Management

  • Regular Scanning: Automated vulnerability scanning of all systems
  • Penetration Testing: Annual third-party security audits
  • Bug Bounty Program: Rewards for responsible disclosure of security issues
  • Rapid Patching: Critical security patches applied within 24 hours

Compliance and Certifications

Standards and Regulations

  • GDPR Compliant: Full compliance with EU General Data Protection Regulation
  • CCPA Compliant: Adherence to California Consumer Privacy Act requirements
  • SOC 2 Type II: (In progress) Independent audit of security controls
  • OWASP Top 10: Protection against the most critical web application security risks

Development Practices

  • Secure SDLC: Security integrated into every phase of development
  • Code Reviews: All code reviewed by multiple developers before deployment
  • Automated Testing: Security tests run on every code change
  • Dependency Scanning: Continuous monitoring for vulnerable third-party packages
  • Static Analysis: Automated code analysis to catch security issues early

Your Role in Security

While we implement robust security measures, you play a crucial role in keeping your account secure:

Best Practices

  • Strong Passwords: Use unique, complex passwords (12+ characters with mixed case, numbers, and symbols)
  • Enable MFA: Add an extra layer of security with multi-factor authentication
  • Verify Invitations: Only accept space invitations from people you trust
  • Secure Devices: Keep your devices and browsers updated
  • Review Activity: Regularly check your account activity for anything suspicious
  • Sign Out: Log out when using shared or public devices
  • Report Issues: Contact us immediately if you notice suspicious activity

What to Avoid

  • Don't share your password with anyone (including family members)
  • Don't reuse passwords from other services
  • Don't click suspicious links in emails claiming to be from Rowan
  • Don't access Rowan from untrusted public Wi-Fi without VPN

Transparency and Communication

Security Updates

We believe in transparency about our security practices:

  • Regular security blog posts and updates
  • Immediate notification of any security incidents affecting user data
  • Annual security and transparency reports
  • Open communication about security improvements

Third-Party Services

We carefully vet all third-party services we use:

  • Cloud hosting providers with SOC 2 compliance
  • Email delivery services with strong security practices
  • Analytics tools that respect user privacy
  • All vendors sign data processing agreements

Report a Security Issue

We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue:

  • Email us at security@rowan.app
  • Include detailed information about the vulnerability
  • Give us reasonable time to address the issue before public disclosure
  • Eligible reports may receive recognition and rewards

Note: For non-security support issues, please contact support@rowan.app

Questions?

Have questions about our security practices? We're happy to provide more information: