Security & Data Practices

• Collect the minimum data we need to run the app.
• Encrypt data in transit and at rest.
• Use battle-tested vendors for the things we don't specialize in.
• Give people clear control over their own data.
• Improve security continuously, not just at audit time.

All connections between your device and Untangle are served over HTTPS using modern TLS. HTTP traffic is automatically redirected to HTTPS. Internal service-to-service traffic uses TLS as well.

Authentication is handled by a managed provider that uses industry standard practices: salted password hashing, secure session tokens, and protections against brute-force and credential-stuffing attacks. We never see or store your raw password.

All payments are processed by Stripe, a PCI-DSS Level 1 certified payment provider. Your card details are entered on Stripe-hosted UI and tokenized at the source — they are never transmitted through or stored on Untangle's servers. We only receive non-sensitive metadata such as plan, subscription status, and a customer ID.

Subscription state is kept in sync via signed Stripe webhooks. Every webhook request is verified against a shared signing secret before it is allowed to update any user record. Requests with missing or invalid signatures are rejected.

Internal access to production systems is limited to the people who need it, protected by strong authentication, and scoped to the minimum permissions required. Database access is governed by row-level security policies so that users can only read and write their own data.

Data is stored in managed databases provided by reputable cloud infrastructure providers, with disk-level encryption at rest and regular automated backups. Backups are encrypted and access to them is restricted.

We monitor application logs, error reports, and infrastructure health. Suspicious patterns and authentication anomalies trigger alerts so we can respond quickly.

Security is continuous, not a checkbox. We review dependencies, patch known vulnerabilities, evolve our access controls, and revisit our security posture as Untangle grows. If we ever experience a breach that affects you, we will notify you and the relevant authorities as required by law.

If you've found a security issue in Untangle, we'd genuinely appreciate your help. Please email support@untanglely.com with a clear description and reproduction steps. Please don't publicly disclose the issue until we've had a reasonable chance to fix it.

We commit to acknowledging reports promptly, keeping you informed while we investigate, and crediting researchers who help us improve — unless you'd prefer to stay anonymous.