Legal

Security Practices

How we keep your data safe

For questions, concerns or issues with your profile, or to report another user please contact us.

Party Onbici considers the security of our application and user privacy extremely important. We regularly assess and improve our security to protect the safety of our users.

1. Security practices

Party Onbici uses physical, process and digital controls in conjunction with our system and user data protection from unauthorized access. This includes regular systems and application security reviews by our internal engineering team and external security auditors.

2. Reporting security vulnerabilities

Party Onbici welcomes the security research community enhance our application and user data protections. We encourage security researchers to responsibly disclose any potential vulnerabilities to security@partyonbici.com.

Reports received through this address will receive a reply. To protect our users, we request that you please refrain from sharing any potential vulnerabilities with anyone outside of Party Onbici until we have confirmed such vulnerability has been properly mitigated.

3. Mobile app security

The Party Onbici mobile application implements the following security measures to protect your data:

Data in transit
  • TLS 1.3 encryption: All network communications between the app and our servers use TLS 1.3, the latest transport layer security protocol.
  • Certificate pinning: The app validates server certificates against a known set of trusted certificates to prevent man-in-the-middle attacks.
  • Request signing: API requests are cryptographically signed to ensure authenticity and prevent tampering.
Data at rest
  • Local encryption: Sensitive data stored on your device (such as ride history and preferences) is encrypted using platform-native secure storage (iOS Keychain, Android Keystore).
  • No plaintext storage: Credentials and tokens are never stored in plaintext on your device.
Privacy by design
  • Minimal data collection: We only collect data necessary for the features you use.
  • Consent-based sync: Ride data synchronization to our servers only occurs with your explicit consent, which can be withdrawn at any time.
  • Local-first architecture: Core features work offline, keeping your data on your device unless you choose to sync.
  • Anonymized analytics: Performance and crash data sent to our monitoring services does not include personally identifiable information.
Access controls
  • Biometric authentication: The app supports Face ID, Touch ID, and Android biometrics for secure access.
  • Session management: Authentication tokens expire automatically and can be revoked remotely.
  • Rate limiting: API endpoints are protected against brute force and denial-of-service attacks.

4. Third-party security

We carefully evaluate the security practices of all third-party services integrated into our platform:

  • All third-party SDKs and services undergo security review before integration.
  • We maintain data processing agreements with all service providers.
  • Third-party access to user data is limited to the minimum necessary for their function.
  • We regularly review and update our third-party dependencies to address security vulnerabilities.