At DD, security is our top priority. This Security Policy outlines the security measures, practices, and controls we implement to protect your data across DD Auth Web Application (auth.duodev.in), DD Auth Mobile Application (in.duodev.auth), and DD Accounts (accounts.duodev.in).

DD Auth uses a zero-knowledge architecture where:
• We never see your plaintext data - All vault data is encrypted before leaving your device
• You control the encryption keys - Keys are derived from your master password
• Server stores only encrypted blobs - Even database administrators cannot read your data
• No backdoors - There is no way for us or anyone to decrypt your data without your master password

All vault data is encrypted using industry-standard algorithms:
• Vault Encryption: AES-256-GCM (256-bit key)
• Key Derivation: PBKDF2-SHA256 (256-bit output)
• Nonce Generation: CSPRNG (96-bit / 12 bytes)
• Salt Generation: CSPRNG (128-bit / 16 bytes)

Key Derivation Flow:
1. User Master Password → PBKDF2 (100,000 iterations) with Master Salt → Master Key (256-bit)
2. Master Key → PBKDF2 (10,000 iterations) with Item Salt → Item Key (256-bit)
3. Item Key → AES-256-GCM with Nonce → Encrypted Payload + Auth Tag

Encrypted (Cannot Access):
• Vault items (passwords, TOTP, notes) - AES-256-GCM encrypted
• Key Verifier - Encrypted hash

Not Encrypted (Can See, But Useless Without Keys):
• Master Salt - Random value, cannot use without password
• Nonce (per item) - Random value, useless without key
• Item Salt (per item) - Random value, useless without master key

Not Encrypted (Can Access):
• Metadata (titles, etc.) - For search functionality
• User profile

All data in transit is protected:
• TLS 1.3 - Latest transport layer security
• HTTPS Only - HTTP connections are redirected
• HSTS - HTTP Strict Transport Security enabled
• Certificate Pinning - Mobile app pins server certificates

OAuth2/OpenID Connect:
• Authorization Code Flow - For web applications
• PKCE (Proof Key for Code Exchange) - For mobile and desktop apps
• State Parameter - CSRF protection for OAuth flows
• ID Token Validation - JWT signature verification

Token Security:
• Access Token: Memory/Secure Storage, 1 hour expiry
• Refresh Token: HTTP-only Cookie/Secure Storage, 30 days expiry
• ID Token: Memory, 1 hour expiry
• PKCE Verifier: Memory, Session duration

Multi-Factor Authentication:
• TOTP - Time-based One-Time Password
• Biometric - Fingerprint and Face recognition (mobile)
• PIN Lock - Application-level PIN protection
• Hardware Keys - WebAuthn/FIDO2 (planned)

Android:
• Android Keystore for cryptographic keys
• Encrypted Shared Preferences
• App integrity checks
• Secure flag for screenshots prevention

iOS:
• iOS Keychain for sensitive data
• Secure Enclave for biometrics
• App Transport Security (ATS)
• Jailbreak detection

Code Security:
• Obfuscation - Code obfuscation for release builds
• No hardcoded secrets - All secrets in secure storage
• Certificate pinning - Prevents MITM attacks
• Integrity checks - Detects app tampering

Security Headers:
• Content-Security-Policy: Strict CSP (Prevent XSS)
• X-Content-Type-Options: nosniff (Prevent MIME sniffing)
• X-Frame-Options: DENY (Prevent clickjacking)
• X-XSS-Protection: 1; mode=block (XSS filter)
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy: Restricted

Input Validation:
• Server-side validation - All input validated on server
• Parameterized queries - SQL injection prevention
• Output encoding - XSS prevention
• CSRF protection - Token-based CSRF prevention

We implement rate limiting to prevent abuse:
• Login attempts: 5 per 15 minutes
• Password reset: 3 per 1 hour
• API requests: 100 per 1 minute
• Export requests: 3 per 1 hour

Security Testing:
• Penetration testing - Annual third-party testing
• Vulnerability scanning - Automated scanning
• Code reviews - Security-focused code reviews
• Dependency auditing - Third-party library monitoring

Bug Bounty Program:
We welcome responsible security research. Report security issues to security@duodev.in.

Vulnerability Disclosure:
1. Report privately - Email security@duodev.in
2. Provide details - Steps to reproduce, impact assessment
3. Allow time - Give us 90 days before public disclosure
4. Don't exploit - Don't access user data or cause damage

Incident Classification:
• Critical (Active breach, data exposure): Immediate response
• High (Exploitable vulnerability): < 24 hours
• Medium (Potential security risk): < 72 hours
• Low (Minor security improvement): < 2 weeks

Response Process:
1. Detection - Identify and classify incident
2. Containment - Limit damage and exposure
3. Investigation - Determine cause and scope
4. Remediation - Fix vulnerability and recover
5. Notification - Inform affected users (if applicable)
6. Post-mortem - Document and learn from incident

Breach Notification:
In the event of a data breach, we will notify affected users within 72 hours, provide details of the breach, recommend protective actions, and notify regulatory authorities as required.

Master Password:
• Length - Minimum 12 characters (16+ recommended)
• Complexity - Mix of uppercase, lowercase, numbers, symbols
• Uniqueness - Don't reuse passwords from other sites
• Memorability - Consider using a passphrase

Account Security:
• Enable two-factor authentication
• Use biometric unlock on mobile
• Review active sessions regularly
• Log out on shared devices

Device Security:
• Keep your OS and apps updated
• Use device encryption
• Set up device PIN/password
• Don't jailbreak/root your device

Backup Your Data:
• Export your vault regularly
• Store encrypted backups securely
• Test backup restoration

For security-related inquiries:
• Security Issues: security@duodev.in
• Bug Reports: security@duodev.in
• PGP Key: Available on request

Response time: Critical issues within 24 hours