Security

Encryption in transit

All traffic between your device and Palimp runs over TLS 1.2+ with modern cipher suites. We enforce HTTPS across the marketing site and the app, with HSTS and secure cookies enabled.

Encryption at rest

Data stored on our servers sits on encrypted disks provided by our hosting partner (AES-256 at rest). Passwords are stored as argon2id hashes — we never see your plaintext password.

Cloud sync content is additionally end-to-end encrypted with a key derived from your account passphrase, so notes are unreadable to us even if our storage were compromised.

Data export

Every note is plain markdown. At any time, you can export your entire vault as a zip of .md files from the settings screen. Your tags, links, and dates survive the export intact — no lock-in.

Account deletion

Delete your account from settings and all server-side data is queued for removal within 30 days. Backups containing your data roll off within 90 days. Local copies on your own devices remain under your control.

Responsible disclosure

Found a security issue? We'd love to hear from you before anyone else. Email security@palimp.com with details and a proof of concept if you have one. We aim to acknowledge within 2 business days, credit you publicly (if you want), and pay a bounty for valid reports.

Operational practices

• Least-privilege access; admin actions require 2FA.
• Dependencies are tracked and patched on a regular cadence.
• Changes ship through code review and automated tests before touching production.
• Incidents are logged, investigated, and — when user data is involved — disclosed promptly.