SECURITY

Security posture.

What we store, where, for how long, and what protects it.

Local-first

Case data lives on your device. The web companion uses localStorage. iOS uses SwiftData under device encryption, gated behind your device passcode and Face ID or Touch ID.

Web session

Your browser bearer is a one-time UUID stored in localStorage — never shared cross-site. The session expires after 30 days idle; every page load slides the window forward. Sign out from your profile to clear the bearer immediately.

Email verification

Cases addressed to your email only become visible after you confirm a one-time link sent to that address. The link expires in 30 minutes and is consumed once. This prevents anyone who knows your email from claiming your inbox on a fresh device.

Supervisor review server

The case payload is sent to api.sonolex.com over TLS only when you opt in to supervisor review. The payload is de-identified at source. A PHI sanitizer runs on-device and again on the server as a defense-in-depth check before the case is enqueued for review.

Retention

Review threads auto-purge after sign or after 30 days idle, whichever comes first. Local logbook entries are kept until you delete them.

Audit log

A hash-chained event log records review actions (queued, opened, signed, returned) for educational integrity. No case content is written to the log — only opaque case IDs, actor IDs, and timestamps.

Disclosure

Report security issues to security@sonolex.com. We acknowledge within 3 business days.