Your trust is our foundation. We use industry-standard cryptography and privacy-first architecture so the data that would matter to an attacker is either encrypted to a key only your device holds, or never collected in the first place.
Hosted on infrastructure with a 99.9% uptime SLA. Cloudflare CDN delivers static assets and tile downloads from edge locations close to you, so map data keeps working even when the primary data plane is busy.
In transit: TLS 1.3 for all API traffic. At rest on our servers: AES-256. End-to-end for sync: pin and waypoint blobs are encrypted with a key derived on your device — we can't read them, even with full access to the database.
Concrete primitives, not marketing: TLS 1.3, AES-GCM-256, bcrypt at cost factor 12, JWT with 15-minute expiration, account lockout after 5 failed attempts. No formal certifications — just consistent application of widely-reviewed standards.
Static assets and map tile downloads served from Cloudflare's global edge network. The primary data plane runs in a single DigitalOcean region.
Docker containers with minimal base images and per-service network isolation.
Private network between services, firewall at the host boundary, only the public API surface exposed to the internet.
Encrypted database backups with point-in-time recovery managed by the hosting provider.
AES-256 encryption for all stored data including databases and file systems
TLS 1.3 for all API communications and data transfers
Auth credentials and personal data encrypted locally on your device using AES-GCM-256, protecting against malware and unauthorized access
Server-side secrets stored in environment-isolated vaults with periodic rotation. Device encryption keys are generated on-device and are non-extractable from the OS keystore.
Only collect and store data essential for service delivery
AES-GCM-256 with a non-extractable hardware-backed key protects your personal information locally
Beyond encrypting data in transit and on our servers, Keryx Maps encrypts your sensitive information directly on your device. This means even if your device is compromised, your personal data remains protected.
Most apps store your login tokens and personal data as plain text on your device. If malware or an unauthorized user gains access to your device's storage, they can steal your credentials and personal information. With Keryx Maps, all sensitive data is encrypted using a hardware-backed key that cannot be extracted — even with direct access to the device's file system, your data remains unreadable.
We do not hold formal security certifications — the audit overhead and recurring cost don't fit a consumer app at our stage. Instead, we apply widely-reviewed cryptographic primitives and comply with the privacy regulations that protect our users.
European Data Protection
EU and EEA users have access, rectification, erasure, portability, restriction, objection, and consent-withdrawal rights through our privacy request channel.
View Privacy Policy →California Privacy Rights
California residents can exercise the right to know, delete, opt out of sale (we don't sell), and non-discrimination for exercising their rights.
View Privacy Policy →All API and web traffic
At-rest server encryption
On-device + E2EE sync
Password hashing
Hosting provider uptime target
From upstream feed to push notification
User notification target after a confirmed personal-data incident
If you discover a security vulnerability or have concerns about our security practices, please report them responsibly. We take all security reports seriously and will investigate promptly.
support@keryxmaps.com
Subject: Security Disclosure
Within 24 hours
We appreciate responsible disclosure and will acknowledge all legitimate security reports.
Security isn't just a feature—it's the foundation of everything we do. When disasters strike, you need to trust that your safety system is secure, reliable, and always available.