Roots

How we keep the room small.

Security at Roots is closer to a quiet door than a loud lock. The practices below are the ones that matter for a small, intentional product.

Access

Every Roots account is reviewed personally before it’s let in. That’s the gate. It’s slow on purpose.

In transit and at rest

All traffic is HTTPS. Stored data is encrypted at rest. Row-level security rules govern every read and write at the database.

The Mac app

Signed with an Apple Developer ID and notarized by Apple before each release. The app runs with a hardened runtime and a tight set of permissions.

If you find something

Email security@rootsstayintouch.com. We’ll respond. Coordinated disclosure is welcome.

What we’re still working on

Roots is in closed beta. Some hardening work — auto-update signing, an immutable release bucket, a tighter Content Security Policy — is on the roadmap before we open the gate wider.

← Request access