SECURITY AT CALMA

Last updated: May 2026

Your mental health data deserves the highest level of protection.

Here is exactly what we do to keep it safe.

ENCRYPTION

Data at rest:

All data stored in our database is encrypted using AES-256

encryption — the same standard used by banks and government

institutions.

Data in transit:

All communication between the Calma app and our servers uses

TLS 1.3 — the latest and most secure transport layer encryption

protocol available.

INFRASTRUCTURE

Calma's backend is built on Supabase — a SOC 2 Type II certified

cloud infrastructure provider. Supabase undergoes regular

independent security audits.

Data centres: US-based (AWS us-east-1 region).

Uptime SLA: 99.9%.

Automatic backups: daily, with 30-day retention.

AUTHENTICATION

• All accounts are protected by email + password authentication

  • Passwords are hashed using bcrypt (never stored in plain text)
  • Session tokens expire after 30 days of inactivity
  • Optional: we are building biometric authentication

(Face ID / fingerprint) for a future update

AI DATA HANDLING (CLAUDE API)

When you submit a daily check-in, only your anxiety level (a

number 1–10) and worry category (a general label like "breathing"

or "heart") are sent to the Anthropic Claude API.

We never send:

  • Your name
  • Your email address
  • Your exact journal entries
  • Any identifying information

Anthropic's API is used under their enterprise privacy terms.

AI-generated responses are not stored or used to train AI models.

WHAT WE NEVER DO

✗ We never sell your data to any third party

✗ We never share your data with insurance companies

✗ We never share your data with employers

✗ We never share your data with healthcare providers without

your explicit consent

✗ We never use your mental health data for advertising

VULNERABILITY DISCLOSURE

If you discover a security vulnerability in Calma, please

report it responsibly to:

security@calmaapp.com

We will acknowledge receipt within 48 hours and provide a

resolution timeline. We do not pursue legal action against

good-faith security researchers.

SECURITY UPDATES

We push security patches as soon as vulnerabilities are

identified — without waiting for scheduled release cycles.

All users are notified of security-related app updates.

CONTACT

Security issues: security@calmaapp.com

General privacy: privacy@calmaapp.com

General enquiries: hello@calmaapp.com

Calma / kriva.studio / LasyaAitech

https://lasyaaitech.com