CalmSource
§ 06 — Compliance
Security & PrivacyFolio № 06 · Compliance

Data stays on the device it was created on.

A plain-language description of how the CalmSource runtime handles data, credentials, and telemetry. Written by the founder — not an independent certification.

Data Handling

What the runtime does with your data

Credential storage
Local secure enclave
Provider credentials are stored using the Android Keystore with AES-GCM. They are never transmitted off the device by the runtime.
Index & token map
Encrypted at rest, on-device
The stream index and any provider tokens live in an encrypted local store; they are not synced across devices by the runtime.
Telemetry
Disabled by default
No usage telemetry is collected unless the OEM or operator enables it, in which case events are redacted before export.
Log redaction
Automated PII scrubbing
URLs, tokens, and credential fragments are removed from any log line before it can leave the process.
Shared Responsibility

What the runtime does · what the operator must do

CalmSource runtime

  1. 01On-device encryption of credentials and index
  2. 02Automated log redaction before any export
  3. 03No server-side session created for playback
  4. 04Signed release artifacts and reproducible builds

OEM / Operator

  1. 01Physical device security and OS-level updates
  2. 02User consent flows for any optional telemetry
  3. 03Privacy notice and lawful basis for their end users
  4. 04Access control for operator console credentials
Where we stand today

Honest posture

Independent audit
Not yet — planned post-funding
Third-party security review is on the roadmap once headcount and budget allow. Findings will be shared with partners under NDA when available.
Regulatory frameworks
Designed to enable operator compliance
The local-first architecture is intended to help OEMs and operators meet GDPR-style obligations. CalmSource itself does not act as a controller for end-user data.
Vulnerability reporting
hello@calmsource.dev
Single inbox, monitored by the founder. Reports acknowledged within two business days. PGP key on request.
Incident contact
hello@calmsource.dev
Same inbox. There is no 24/7 on-call rotation yet — that scales up with the team.

This page reflects current app-visible controls as of the last update. It is not a statement of certification and does not constitute legal advice.