security

security at mochi rests on three simple ideas: store as little as possible, protect what we do store with strong defaults, and assume that privacy is the product — not a feature.

• in transit — all traffic between your device and mochi is encrypted with TLS. nothing travels in the clear.
• at rest — your clips and account data are encrypted on disk where they're stored.
• tokens — sign-in tokens are stored in your device's secure keystore, not in plain files.

• your clips are scoped to the gang you posted them to — the system enforces this on every request.
• your day-log is private to your account and never exposed to other users.
• internally, access to production data is restricted to the few people who need it, logged, and reviewed.

mochi runs on reputable cloud providers with strong physical and network security. we keep our systems patched, isolate environments, and use least-privilege service accounts so a problem in one place can't cascade.

the safest data is the data we never collect. mochi asks only for what a daily-vlog gang needs — no contacts, no location, no ad identifiers — and deletes what it no longer needs on a rolling cycle.

security is a team sport. you can help keep your account safe:

• keep your phone locked and its OS up to date;
• only invite people you actually trust into a gang;
• tell us right away if you notice anything strange on your account.

if we ever discover a breach that affects your data, we'll investigate quickly, contain it, and notify affected users and regulators as required by law — clearly, and without spin.

found a hole? we'd genuinely love to hear from you. email security@mochilog.app with the details. we welcome good-faith research, won't pursue researchers who follow responsible disclosure, and will credit you if you'd like.