PrepXam

Legal

Data security policy

How we protect personal data in PrepXam’s systems and operations.

Effective 30 March 2026 · Last updated 30 March 2026

This Data Security Policy describes high-level measures for the PrepXam service (com.prepxam.prep_xam). It should be read together with our Privacy policy and Data retention policy. Operational details may evolve as we improve our systems.

Contact (security reports): security@prepxam.app — replace with a monitored address before production.

1. Security objectives

We aim to protect personal data against unauthorised access, alteration, disclosure, or destruction, and to maintain the availability and integrity of the PrepXam service. No method of transmission or storage is 100% secure; we continuously work to improve our posture.

2. Encryption and transport

  • In transit: client apps communicate with our APIs over TLS (HTTPS). Unencrypted HTTP should not be used in production for app traffic.
  • At rest: we use industry-standard encryption for databases, backups, and volumes where supported by our cloud providers.

3. Authentication & access control

  • User sign-in uses email OTP and issued tokens; credentials are not stored in recoverable plaintext where password-style secrets apply.
  • Administrative and production access is limited to authorised personnel on a need-to-know basis, with separate credentials and least-privilege roles where feasible.
  • API access for the mobile app is protected with client and user authentication mechanisms designed to reduce unauthorised use.

4. Infrastructure & hosting

We rely on reputable cloud and managed service providers for hosting, databases, and supporting services. We select providers that offer appropriate physical and network security controls and contractual commitments; we configure services following good practices (network isolation, access logging where applicable).

5. Monitoring & incident response

  • We monitor systems for errors, abuse, and anomalies as appropriate to our scale.
  • If we become aware of a breach affecting personal data, we will assess impact and notify affected users and regulators where required by applicable law.

6. Development & deployment

We follow secure development practices appropriate to our team size, including code review where practicable, dependency updates, and separation of development and production environments. Production secrets are not embedded in client apps in plain form beyond what is necessary for public client identifiers.

7. Your responsibilities

Keep your device OS updated, do not share OTP codes, and use official PrepXam builds from Google Play. Report suspected vulnerabilities to the security contact above.

8. Changes

We may update this policy as our architecture or standards evolve; check the “Last updated” date when reviewing.