// SECURITY

Security

Last updated: 2026-04-28

FiftyCAL is built so the highest-value data — your recordings — never leaves your Mac. Cloud surface only handles the minimum needed for accounts, leaderboards, and license activation.

How recordings are stored

• Sessions live in ~/Documents/Scope/ on your Mac. We can't read them.
• Audio for transcription goes to OpenAI Whisper and is processed under their DPA.
• Hardscope video frames go to Google Gemini for summarization. The video itself is not retained.
• The Mac app never uploads your transcript or screen recording to our cloud surface.

Authentication

• Passwords hashed with argon2id (m=64MiB, t=3, p=1, OWASP minimum 2024). Plaintext is never persisted.
• Session tokens are 32 random bytes, hashed with SHA-256 at rest. The raw token only lives in your Mac's Keychain (service com.avk.scope.session).
• Optional 2-factor authentication via TOTP. Secret encrypted at rest with AES-GCM, with a server-side pepper.
• Refresh tokens rotate on use. A leaked refresh token gets revoked the moment a new one is issued.

License keys

Licenses are signed Ed25519 payloads. Your Mac verifies the signature offline against an embedded public key, so the app keeps working when you're offline. Revocation is enforced server-side at activation time.

Transport

Every cloud call is HTTPS (TLS 1.2+). HSTS enforced on fiftycal.app. Cloudflare provides DDoS protection and edge WAF rules.

App distribution

• FiftyCAL.app is signed by an Apple Developer ID Application certificate.
• Notarized by Apple before each release. Gatekeeper accepts without prompts.
• Updates served via Sparkle 2 with EdDSA-signed appcast — the app verifies the update signature before applying it.

Reporting a vulnerability

Please email security@fiftycal.app with details. We respond within 48 hours and publish a fix timeline. We do not currently run a paid bug bounty but credit researchers in the release notes.