Security Policy

Security Policy

Your security is of utmost importance to us at Connections. We are continuously working to protect our applications, our network, and, most importantly, the personal data and privacy of our users. This Security Policy outlines how you can report issues and what we do to maintain a secure platform.

User Safety and Reporting

If you encounter any problems with your account security or notice suspicious behavior from another user (for example, someone is attempting to phish your information or you suspect an account has been compromised), please let us know right away. You can contact us at connections@dating-universe.com for any security-related concerns, or use the in-app reporting tools for user-related issues. Our support team will respond as promptly as possible.

For general support or to report content or profiles that violate our policies (but are not necessarily technical security issues), you can also reach out through our Support page or use the "Report" feature within the app on the relevant profile, chat, or Shot.

Content Integrity & Automated Safety

With the introduction of Shots (public posts), Connections employs additional security measures to protect our community at scale:

  • Automated Content Scanning: All Shots are processed through AI-based content safety systems that detect nudity, violence, hate speech, spam, and other prohibited content before and after publication.
  • Synthetic Media Detection: We employ detection systems to identify AI-generated deepfakes, face-swaps, and manipulated media to protect users from deceptive content.
  • Spam & Manipulation Prevention: Automated systems detect and prevent coordinated manipulation, bot activity, and artificial engagement inflation on Shots and the Discover feed.
  • Rate Limiting & Abuse Prevention: We implement rate limits on Shots posting, reporting, and other actions to prevent automated abuse.

Our Commitment to Application Security

Connections considers the security of our platform and the privacy of user data to be extremely important. We have implemented industry-standard measures and continue to update our practices to address the evolving landscape of cyber threats. However, no system is infallible, so we also rely on the goodwill and vigilance of the security community to help us fortify our defenses.

Compliance posture: For a detailed breakdown of how Connections aligns with SOC 2, ISO 27001, NIST 800-53, GDPR, CCPA, DPDPA and PCI DSS, see our Trust & Compliance page.

Key aspects of our security approach include:

  • End-to-End Encryption: Direct messages use the Signal Protocol (X3DH key agreement + Double Ratchet) implemented via libsodium. Only sender and recipient can read message content — Connections servers never see plaintext. Local message storage is encrypted with SQLCipher (AES-256).
  • Data Encryption in Transit + at Rest: All client–server traffic uses TLS 1.2+. Sensitive data is hashed (passwords) or encrypted (databases, S3 buckets) at rest. HMAC-SHA256 signs every API request with replay protection via timestamp window + Redis nonce store.
  • Secure Infrastructure: Our servers are hosted in secure environments with strong firewall and intrusion detection systems. We regularly update our software and systems to patch vulnerabilities. NoSQL-injection and XSS protections are applied at the request layer for every endpoint.
  • Access Controls + Role-Based Audit: Production access is gated by Google / Facebook OAuth with a MongoDB allowlist. We operate a four-tier RBAC (superadmin, auditor, admin, viewer) with separation of duties — auditors can review the audit trail but cannot modify user data.
  • Tamper-Evident Audit Logs: Every privileged admin action is recorded in a SHA-256 hash-chained audit log with prevHash + entryHash for cryptographic non-repudiation. Modifying past entries breaks the chain — detected by automated daily verification. Sealed copies are written to AWS S3 Object Lock in COMPLIANCE mode for 7 years.
  • Monitoring and Auditing: Our technical team monitors for unusual activities or potential attacks. Real-time alerting runs every 60 seconds checking for burst-deletions, failed-login bursts, PII fishing, and chain integrity breaks. We use automated tools as well as manual reviews to catch anomalies. Regular security audits and penetration tests are conducted to assess our systems.
  • Automated Content Safety: Image uploads pass through NudeNet (NSFW), age estimation ML, and AI text moderation (Google Gemini / OpenAI) before reaching public surfaces. NSFW detection in chat runs on-device so server never sees decrypted media.
  • Incident Response: In the unlikely event of a data breach or security incident, we have an incident response plan in place. Users will be notified within 72 hours per GDPR Art. 33, CCPA §1798.82, and DPDPA §8(6) timing requirements, and we will take immediate action to mitigate the issue and prevent future occurrences, in compliance with applicable laws and regulations.

Reporting Security Vulnerabilities (Vulnerability Disclosure Program)

We greatly appreciate the contributions of independent security researchers and our user community who help us identify and fix security vulnerabilities. If you discover a potential security vulnerability or flaw in any of Connections's applications, systems, or websites, we encourage you to report it to us in a responsible manner.

Please email details of the suspected vulnerability to connections@dating-universe.com with the subject line "Security Vulnerability Report". In your report, include:

  • A description of the issue and its potential impact.
  • Detailed steps to reproduce the issue (proof of concept code or screenshots are welcome, if applicable).
  • The date and time when you discovered the issue.
  • Your contact information (especially if you are open to us reaching out for further clarification).

Our security team pledges to review your report promptly. We ask that you give us a reasonable opportunity to investigate and address the vulnerability before you share any information publicly. Responsible disclosure means you avoid disclosing the issue to others or exploiting it yourself. This protects our users and gives us a chance to fix things. We are committed to transparency and, after a fix or mitigation is in place, we can coordinate with you to publicly acknowledge the discovery if you desire credit.

To protect our users and services, we prohibit certain types of testing. Please do not engage in activities that could harm the experience or safety of our users, such as:

  • No testing that degrades our service (e.g., no Denial of Service (DoS) attacks or deliberate attempts to crash the service).
  • No use of automated scanners or tools that generate significant traffic or could access user data. These can be indistinguishable from malicious attacks and may trigger our defenses.
  • Do not access or modify data that is not your own. If a vulnerability provides unintended access to data, report the situation without interacting further with that data.
  • Avoid privacy violations, destruction of data, and interruption or degradation of our services.

We also kindly request that you do not publicly disclose the details of any potential security issue until we have had a chance to fix it. Premature disclosure could put users at risk. We believe in a collaborative approach - we will keep you informed about the fix progress and, if you're interested, involve you in any public announcement or credit for the discovery.

Recognition

We are grateful for those who help improve our security. While we do not have a formal bug bounty program with monetary rewards at this time, we do maintain a Hall of Fame to acknowledge researchers who have contributed valuable reports. If you report a valid significant security issue, with your permission we can add your name or alias to our Security Acknowledgements page as a thank you. In some cases, we may offer other tokens of appreciation, like swag or premium features, though these are at our discretion.

Legal Safe Harbor

We want researchers to feel comfortable reporting bugs to us. As long as your research and report is made in good faith and in accordance with this policy, we will consider it authorized conduct and we will not initiate legal action against you. We will work with you to understand and resolve the issue quickly, and Connections will not pursue or support any legal action related to your research. (This assurance does not apply to malicious or non-compliant activities beyond the scope of responsible testing.)

Continuous Improvement

Security is not a one-time effort. It's an ongoing process. Connections is committed to continuously improving our security measures. We stay updated on emerging threats, invest in new security technologies, and train our staff on security best practices. We also value your feedback - if you have suggestions or questions about our security measures, feel free to reach out.

Thank you for helping keep Connections safe. Together with our users and the security community, we aim to provide not just a fun and engaging platform, but also a secure and trustworthy space for everyone.