CalmSource
§ 06 — Compliance
Security & PrivacyFolio № 06 · Compliance
Data stays on the device it was created on.
A plain-language description of how the CalmSource runtime handles data, credentials, and telemetry. Written by the founder — not an independent certification.
Data Handling
What the runtime does with your data
- Credential storage
- Local secure enclaveProvider credentials are stored using the Android Keystore with AES-GCM. They are never transmitted off the device by the runtime.
- Index & token map
- Encrypted at rest, on-deviceThe stream index and any provider tokens live in an encrypted local store; they are not synced across devices by the runtime.
- Telemetry
- Disabled by defaultNo usage telemetry is collected unless the OEM or operator enables it, in which case events are redacted before export.
- Log redaction
- Automated PII scrubbingURLs, tokens, and credential fragments are removed from any log line before it can leave the process.
Shared Responsibility
What the runtime does · what the operator must do
CalmSource runtime
- 01On-device encryption of credentials and index
- 02Automated log redaction before any export
- 03No server-side session created for playback
- 04Signed release artifacts and reproducible builds
OEM / Operator
- 01Physical device security and OS-level updates
- 02User consent flows for any optional telemetry
- 03Privacy notice and lawful basis for their end users
- 04Access control for operator console credentials
Where we stand today
Honest posture
- Independent audit
- Not yet — planned post-fundingThird-party security review is on the roadmap once headcount and budget allow. Findings will be shared with partners under NDA when available.
- Regulatory frameworks
- Designed to enable operator complianceThe local-first architecture is intended to help OEMs and operators meet GDPR-style obligations. CalmSource itself does not act as a controller for end-user data.
- Vulnerability reporting
- hello@calmsource.devSingle inbox, monitored by the founder. Reports acknowledged within two business days. PGP key on request.
- Incident contact
- hello@calmsource.devSame inbox. There is no 24/7 on-call rotation yet — that scales up with the team.
This page reflects current app-visible controls as of the last update. It is not a statement of certification and does not constitute legal advice.