Security
Security practices and responsible disclosure for Memorafy.
Security model
Memorafy is local-first. Your clipboard history lives on your device in SQLite with OS-level file permissions. Cloud sync is optional and only runs when you sign in.
End-to-end encryption
Synced clip content is encrypted on your device before upload. The sync server stores ciphertext and wrapped encryption keys — not readable clipboard content. Images synced across devices are encrypted the same way.
Sync metadata (timestamps, pinned/favorite flags, collection names) is not encrypted. This trade-off keeps search and organization practical while protecting the actual clip content.
Authentication
- Email and password sign-in via Supabase Auth
- Email OTP codes for signup confirmation and password reset
- Session tokens stored in the OS keychain (macOS) or Credential Manager (Windows) in release builds
Local storage
Application data is stored under your user profile (com.memorafy.app). Logs rotate daily and are kept for seven days. You can open the logs folder from Settings → About.
Updates and distribution
- macOS: Releases are signed with a Developer ID certificate and notarized by Apple. Open the DMG, drag Memorafy to Applications, and launch normally — no Terminal commands or right-click workarounds.
- Windows: Installers are not yet signed with a paid Authenticode certificate. If SmartScreen shows “Windows protected your PC” or “Unknown publisher”, choose More info → Run anyway (one time per download). In-app auto-updates remain cryptographically verified.
- In-app updates verify packages with Tauri updater signing (Minisign) before installing
Dependencies
We review dependencies for known vulnerabilities. Security fixes are prioritized. Dependency versions are pinned in our GitHub repository.
Responsible disclosure
If you discover a security vulnerability, please report it responsibly. Email [email protected] with details. We aim to acknowledge reports within 48 hours.
Please do not:
- Publicly disclose vulnerabilities before we have addressed them
- Access data belonging to other users
- Perform destructive testing against our infrastructure
Related
Read our privacy policy or visit open source to audit the code.