Data Security

Your mental health data is deeply personal. We've built InGauge with security practices that protect it like the sensitive information it is.

SOC 2 Type II

Our infrastructure providers maintain SOC 2 certification

TLS 1.3

Latest encryption standard for data in transit

AES-256

Military-grade encryption for stored data

GDPR Compliant

Meeting European data protection standards

How We Protect Your Data

Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3, the latest and most secure transport layer security protocol.

  • TLS 1.3 encryption
  • Perfect forward secrecy
  • Certificate pinning in mobile app

Encryption at Rest

Your data is encrypted when stored on our servers using AES-256, the same encryption standard used by governments and financial institutions.

  • AES-256 encryption
  • Encrypted database backups
  • Secure key management

Access Controls

Strict access controls ensure only authorized personnel can access infrastructure, and even then, user data is encrypted and access is logged.

  • Role-based access control
  • Multi-factor authentication required
  • Principle of least privilege

Audit Logging

Comprehensive logging tracks all access to systems and data, enabling us to detect and investigate any suspicious activity.

  • Immutable audit logs
  • Real-time monitoring
  • Anomaly detection

Secure Infrastructure

Our infrastructure is hosted on SOC 2 Type II certified cloud providers with physical security, redundancy, and 24/7 monitoring.

  • SOC 2 certified providers
  • Geographic redundancy
  • DDoS protection

Regular Audits

We conduct regular security assessments, penetration testing, and vulnerability scanning to identify and fix potential issues.

  • Annual penetration testing
  • Continuous vulnerability scanning
  • Third-party security audits

Security Practices in Detail

Authentication & Access

  • Secure Password Storage: Passwords are hashed using bcrypt with high cost factors—we never store plaintext passwords
  • Session Management: Secure, encrypted session tokens with automatic expiration
  • Device Authentication: Option to require re-authentication on new devices
  • Biometric Options: Face ID / Touch ID support—your biometrics stay on your device, never on our servers

Infrastructure Security

  • Cloud Provider: Hosted on major cloud platforms with SOC 2, ISO 27001, and HIPAA-eligible infrastructure
  • Network Security: Private networks, firewalls, and intrusion detection systems
  • DDoS Protection: Automatic mitigation of distributed denial-of-service attacks
  • Geographic Redundancy: Data replicated across multiple availability zones
  • Disaster Recovery: Regular backups with tested recovery procedures

Application Security

  • Secure Development: Security-focused code reviews and secure coding practices
  • Dependency Scanning: Automated scanning for vulnerabilities in third-party libraries
  • Input Validation: Strict validation and sanitization of all user inputs
  • API Security: Rate limiting, authentication, and request validation on all endpoints
  • Regular Updates: Prompt patching of security vulnerabilities

Personnel Security

  • Background Checks: Security screening for all team members with data access
  • Security Training: Regular training on security best practices and threat awareness
  • Access Reviews: Periodic review and revocation of access privileges
  • Confidentiality: All employees sign strict confidentiality agreements

AI & Third-Party Security

  • AI Provider Agreements: Our AI partners are contractually prohibited from retaining or training on your conversations
  • Data Minimization: Only necessary data is shared with AI services to generate responses
  • Vendor Assessment: Security evaluation of all third-party services before integration
  • Data Processing Agreements: Binding agreements ensuring third parties protect your data

Incident Response

If Something Goes Wrong

We have a comprehensive incident response plan. In the event of a security incident:

  1. Immediate Response: Contain and assess the incident within hours
  2. Investigation: Determine scope, cause, and affected data
  3. Notification: Alert affected users within 72 hours
  4. Remediation: Fix vulnerabilities and restore secure operations
  5. Post-Mortem: Document lessons learned and improve defenses

Report a Vulnerability

We appreciate the security research community. If you discover a vulnerability in InGauge, please report it responsibly:

Email: security@getingauge.com

Please include detailed steps to reproduce the vulnerability. We commit to acknowledging reports within 48 hours and will work with you to address valid findings. We do not pursue legal action against good-faith security researchers.

Your Role in Security

Security is a partnership. Here's how you can help protect your account:

Use a Strong Password

Unique to InGauge, at least 12 characters

Keep Your Device Secure

Use device passcode, keep OS updated

Don't Share Credentials

Your account should only be accessed by you

Report Suspicious Activity

Contact us if something seems wrong

Questions About Security?

We're happy to discuss our security practices in more detail.

Security Team: security@getingauge.com

Privacy Team: privacy@getingauge.com