Skip to content
Your Data Is Protected

Data Security Policy

Technical and organizational measures Aneutral implements to protect your personal data.

Effective Date: April 1, 2026 · Last Updated: April 4, 2026

1. Encryption in Transit

All data transmitted between your device and Aneutral's servers is encrypted using HTTPS/TLS. This applies to all communications, including:

  • Authentication token exchange.
  • Profile data transmission.
  • Photo uploads and downloads (via presigned S3 URLs).
  • Messaging (via Stream Chat).
  • All API requests to Aneutral's backend.

No data is transmitted in plaintext. All endpoints enforce TLS and reject unencrypted connections.

2. Encryption at Rest

Database (DynamoDB)

All data stored in our primary database (Amazon DynamoDB) is encrypted at rest using AWS-managed encryption keys. This covers all user data, profile data, verification records, match records, block and report records, subscription data, and device tokens.

File Storage (S3)

All files stored in Amazon S3, including user photos and media, are protected by:

  • Server-side encryption (SSE-S3): All objects are encrypted at rest using S3-managed keys.
  • Block all public access: The S3 bucket is configured to block all public access. No files are publicly accessible.
  • Per-user prefix: Photos are stored under a per-user prefix (users/{userId}/) to enforce logical isolation.
  • Presigned URLs only: All file access is through authenticated, time-limited presigned URLs.

3. Photo and Media Security

User photos and media files are stored in Amazon S3 with the following protections:

  • Block all public access enabled at the bucket level.
  • Server-side encryption (SSE-S3) for all stored objects.
  • Per-user prefix isolation (users/{userId}/).
  • Presigned URLs with limited validity periods for all access.
  • Lifecycle rules for automated cleanup of orphaned or expired objects.

4. Biometric and Verification Data Security

Identity and age verification is handled by Sumsub, which maintains SOC 2 Type II and ISO 27001 certifications. Sumsub processes government-issued identification documents and facial imagery for liveness detection and identity confirmation.

AWS Rekognition is used for face comparison (verifying that profile photos depict the account holder) and for image moderation. Facial imagery is processed in real time by Rekognition — Aneutral does not maintain a persistent facial recognition database.

Verification records stored in DynamoDB are encrypted at rest using AWS-managed encryption keys.

5. Messaging Security

In-app messaging is provided by Stream Chat. Messages are encrypted in transit (TLS) and encrypted at rest by Stream.

Important: Messages are not end-to-end encrypted. Stream can access message content to provide the messaging service and for moderation purposes. Aneutral's moderation processes also analyze messages for guideline violations.

We advise against sharing sensitive personal information (financial account numbers, government ID numbers, passwords) through the messaging feature.

6. Authentication and Access Controls

User Authentication

Aneutral uses phone-based one-time passcode (OTP) authentication via AWS Cognito CUSTOM_CHALLENGE flow, with email as an optional fallback. No passwords are stored or transmitted.

Token Security

  • Access tokens and ID tokens are valid for 1 hour.
  • Refresh tokens are valid for 30 days.
  • All API operations require a valid JWT token.

Multi-Factor Authentication

MFA is available as an optional additional security measure. Users can enable MFA through their account settings.

No Social Login

Aneutral does not support social login (Google, Apple, Facebook). This is a deliberate design decision to limit the number of third parties with access to your authentication credentials.

Server-Side Access Controls

All backend operations run on AWS Lambda with IAM-based access controls. Each function has only the minimum permissions required to perform its task.

7. Operational Logs

Aneutral uses AWS CloudWatch for operational logging. Logs are used for debugging, error resolution, and security monitoring. Personally identifiable information (PII) may appear briefly in operational logs from authentication and moderation operations.

  • Access to logs is restricted to authorized personnel only.
  • Log retention is time-limited with automated cleanup.
  • We are actively minimizing PII in production logs.

8. Third-Party Security

Aneutral relies on trusted third-party providers with strong security certifications:

ProviderPurposeSecurity Standards
AWSInfrastructure (compute, database, storage, auth)SOC 1/2/3, ISO 27001, FedRAMP, PCI DSS
SumsubIdentity verificationSOC 2 Type II, ISO 27001
StreamMessagingSOC 2 Type II
AmplitudeAnalyticsSOC 2 Type II
SentryError monitoringSOC 2 Type II
RevenueCatSubscription managementSOC 2 Type II

We periodically review the security practices and certifications of our third-party providers.

9. Data Breach Notification

In the event of a confirmed data breach affecting personal data, Aneutral will:

  1. Investigate the scope and nature of the breach.
  2. Contain the breach to prevent further unauthorized access.
  3. Notify affected users within 72 hours of confirmation.
  4. Notify relevant regulatory authorities as required, including GDPR supervisory authorities and the Texas Attorney General.
  5. Provide details about what data was affected and what steps are being taken.
  6. Offer guidance on protective measures users can take.

10. Responsible Disclosure

If you discover a security vulnerability in Aneutral, we encourage you to report it responsibly. Please email info@aneutral.com with the following:

  • A description of the vulnerability.
  • Steps to reproduce the issue.
  • Any supporting evidence (screenshots, logs).

We ask that you:

  • Do not exploit the vulnerability beyond what is necessary to demonstrate it.
  • Do not access or modify other users' data.
  • Allow a reasonable amount of time for us to address the issue before any public disclosure.

We will acknowledge receipt of your report and work to address confirmed vulnerabilities promptly.

11. What You Can Do

You can help protect your account and data by following these practices:

  • Use a unique, strong password for the email address associated with your account.
  • Enable multi-factor authentication (MFA) when available.
  • Keep your device operating system and apps updated to the latest versions.
  • Never share one-time passcodes (OTPs) with anyone. Aneutral will never ask you for your OTP.
  • Report suspicious activity immediately through the in-app reporting feature or by emailing info@aneutral.com.
  • Be cautious with links received through messages — do not click unfamiliar URLs.

12. Contact

If you have questions about our data security practices, contact us:

Aneutral LLC

5103 Wildwood Dr, Manvel, Texas 77578

Email: info@aneutral.com