SECURITY AT CALMA
Last updated: May 2026
Your mental health data deserves the highest level of protection.
Here is exactly what we do to keep it safe.
ENCRYPTION
Data at rest:
All data stored in our database is encrypted using AES-256
encryption — the same standard used by banks and government
institutions.
Data in transit:
All communication between the Calma app and our servers uses
TLS 1.3 — the latest and most secure transport layer encryption
protocol available.
INFRASTRUCTURE
Calma's backend is built on Supabase — a SOC 2 Type II certified
cloud infrastructure provider. Supabase undergoes regular
independent security audits.
Data centres: US-based (AWS us-east-1 region).
Uptime SLA: 99.9%.
Automatic backups: daily, with 30-day retention.
AUTHENTICATION
• All accounts are protected by email + password authentication
- Passwords are hashed using bcrypt (never stored in plain text)
- Session tokens expire after 30 days of inactivity
- Optional: we are building biometric authentication
(Face ID / fingerprint) for a future update
AI DATA HANDLING (CLAUDE API)
When you submit a daily check-in, only your anxiety level (a
number 1–10) and worry category (a general label like "breathing"
or "heart") are sent to the Anthropic Claude API.
We never send:
- Your name
- Your email address
- Your exact journal entries
- Any identifying information
Anthropic's API is used under their enterprise privacy terms.
AI-generated responses are not stored or used to train AI models.
WHAT WE NEVER DO
✗ We never sell your data to any third party
✗ We never share your data with insurance companies
✗ We never share your data with employers
✗ We never share your data with healthcare providers without
your explicit consent
✗ We never use your mental health data for advertising
VULNERABILITY DISCLOSURE
If you discover a security vulnerability in Calma, please
report it responsibly to:
security@calmaapp.com
We will acknowledge receipt within 48 hours and provide a
resolution timeline. We do not pursue legal action against
good-faith security researchers.
SECURITY UPDATES
We push security patches as soon as vulnerabilities are
identified — without waiting for scheduled release cycles.
All users are notified of security-related app updates.
CONTACT
Security issues: security@calmaapp.com
General privacy: privacy@calmaapp.com
General enquiries: hello@calmaapp.com
Calma / kriva.studio / LasyaAitech

