Security
Evibe is built around your trust. Here is how we keep your data safe — at rest, in transit, and in our infrastructure.
Our database holds only anonymized portfolio data — no name, no human-readable identity. Your email is used only to sign you in, and it lives in Firebase Authentication, not on our servers.
All traffic between your devices and our servers is encrypted in transit (TLS 1.3). At rest, your data sits on a fully encrypted volume (LUKS2, AES-256) and off-site backups are encrypted before they ever leave the server.
One tap inside the app and everything is gone — portfolios, transactions, account. GDPR-aligned by default, including export and right to be forgotten.
Operational best practices
We follow the security best practices expected of a modern cloud-native company, including: least-privilege access to production systems, mandatory two-factor authentication on every administrative account, encrypted secrets and credentials managed via a hardened secret store, automated dependency and vulnerability scanning with prompt patching, and a clear separation between development and production environments.
Encryption in depth
In transit: end-to-end TLS (1.2 or higher) between your devices and our infrastructure.
At rest: the database, cache and swap live on an encrypted volume (LUKS2 / AES-256-XTS) unlocked at boot by a hardware security module (TPM 2.0) on the server — the encryption key is never written to the disk in clear text. Off-site backups are encrypted on the server (AES-256) before upload, and the keys that protect those backups are themselves kept on the encrypted volume.
Because we store only opaque identifiers and no names, a lost or decommissioned disk exposes no usable personal or financial data.
Authentication
Authentication is delegated to Firebase Authentication (Google Cloud), an industry-standard provider used by hundreds of thousands of apps. We never see or store your password — Firebase handles that on its hardened infrastructure.
Subprocessors and data location
Our subprocessors are: Firebase (Google Ireland Ltd.) for authentication, and OVH Hosting Inc. (Canada) for portfolio-data hosting. Portfolio data is stored anonymized in Canada (OVH Beauharnois datacenter); the transfer from our EU entity (Wonderlink SL, Spain) relies on the European Commission’s adequacy decision for Canada (for organisations subject to PIPEDA). Both subprocessors are bound by data-processing agreements aligned with the GDPR.
Reporting a vulnerability
If you believe you have found a security issue, please email us using the contact address at the bottom of this page. We aim to acknowledge reports within 48 hours and to issue fixes for confirmed issues as quickly as possible. We are grateful to researchers who help keep Evibe safe and we will publicly credit you (with your permission) once a fix has shipped.