Security

How Bowtie Risk Engine handles your data and what we do — and don't do — for security. We aim to be specific and honest rather than vague and reassuring.

Where your diagrams live

• Desktop apps — diagrams are stored on your machine. They never leave your device unless you explicitly export or share them.
• Browser app — diagrams are stored locally in your browser by default. Optional sign-in (Firebase Authentication) enables cloud-backed storage for diagrams you choose to save remotely.

Transport & transit

• The site is served over HTTPS only. HTTP requests are upgraded.
• A strict Content Security Policy is enforced. Inline scripts are limited; only the origins required by the app are allowed.
• Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and a tight Permissions-Policy are set on every response.

Authentication

Authentication is optional and powered by Firebase Authentication. Sign-in is only required if you choose to use cloud-backed features. Passwords are never stored or seen by us.

What we do not do

We are a small team and we are honest about it.

• We do not currently hold a SOC 2, ISO 27001, or similar certification.
• We do not offer custom data-residency contracts at this stage.
• We do not run a public bug bounty.

If you need any of the above for procurement, get in touch — we are open to scoping engagements where it matters.

Reporting a vulnerability

If you believe you have found a security issue, please email [email protected]. Please include a clear description, steps to reproduce, and any proof-of-concept material. We will acknowledge within five business days.

Please do not publicly disclose an issue before we have had a reasonable chance to fix it.

For procurement

We are happy to fill out reasonable security questionnaires for organisations that intend to use the desktop app. Reach out via the contact page with the questionnaire attached.