Security & Privacy

Built Secure.
By Design.

Every layer of Weavid is engineered to protect your data, your privacy, and your trust. No compromises.

AES-256-GCM Encryption EU Data Sovereignty DeepWeave Optional Privacy Mode Zero Third-Party Trackers
Encryption

How Your Data Is Protected

Weavid uses different encryption strategies depending on the type of data. Not everything is encrypted the same way — and we think you should know exactly how each layer works.

Standard Account Encryption

Your personal data is encrypted at rest using AES-256-GCM with a server-held key. This protects against database breaches and unauthorized access. The server can decrypt this data when needed for account operations like password recovery.

DeepWeave Mode (Opt-In)

When enabled, your sensitive personal data is encrypted with a key derived from your password using Argon2id. We cannot decrypt it — only you can. This is true zero-knowledge encryption, with the tradeoff that losing your password and recovery phrase means permanent data loss.

Abuse & Legal Hold (HSM-Backed)

Abuse reports and legal hold data use envelope encryption with HSM-backed key management in Paris. Each report gets its own data key, wrapped by a master key in hardware. Abuse report keys rotate weekly on an automated schedule.

Key Versioning & Audit Trail

All encryption systems support key versioning, allowing keys to be rotated without downtime. Encryption operations are logged in an immutable audit trail for compliance and transparency.

Data Sovereignty

EU Data Sovereignty

Your personal data, databases, authentication, and encryption keys are hosted in France by European providers. Public media content (videos, images) is delivered via Cloudflare for global performance and may be replicated across regions.

Component Location Provider
Application Server France Hostinger (EU)
Database Paris, France Scaleway Serverless SQL
Key Management (Abuse/Legal Hold) Paris, France Scaleway Key Manager (HSM)
Media Storage Cloudflare (Global) Cloudflare R2 — public media, may be replicated globally
DDoS Protection Edge (Global) Cloudflare WAF
Encrypted Backups EU Double-encrypted, EU storage

GDPR-Native Architecture: Your personal data is subject to EU data protection laws — the world's strongest privacy regulations. Public media (videos, images) is delivered via Cloudflare and may be distributed globally for performance. Media hosting may change in the future as the platform evolves.

Privacy

Privacy-First Design

Privacy isn't a feature we added. It's the foundation everything else is built on.

  • IP Address Truncation: We strip and hash IP addresses. Only country-code level data is stored — never your precise location.
  • Minimal Data Collection: We collect only what's necessary to run the platform. Country code for compliance, never city or coordinates.
  • Opt-In Everything: Every feature defaults to off. You choose what to enable, not the other way around.
  • No Trackers: Zero third-party analytics. No Facebook Pixel, no Google Analytics, no tracking cookies. Clean URLs with no UTM parameters.
  • No Contact Access: We will never ask to access your phone contacts. Period.
  • End-to-End Encrypted DMs (Planned): Private messaging with end-to-end encryption is on our roadmap. When launched, message keys will never leave your device.
Moderation

Transparent Safety Architecture

Content moderation and user safety require access controls that respect privacy. Our two-tier system ensures the minimum amount of data is exposed during any review.

Tier 1 — Content Review

  • Can review reported content and usernames
  • Cannot access any personal information
  • Handles the majority of moderation cases
  • Rotating encryption keys (weekly)

Tier 2 — Serious Escalations

  • Can access PII only for law enforcement coordination
  • Requires admin-level authorization
  • Separate rotating encryption keys
  • Full audit trail on all access

Legal Hold Capability: When law enforcement requests arise, evidence is encrypted under a separate admin-only key with its own audit trail. No PII is exposed to standard moderation workflows.

Infrastructure

Hardened Infrastructure

Security isn't just about encryption. Our infrastructure is locked down at every layer.

  • Firewall: Locked to Cloudflare IPs only — no direct access to origin servers from the public internet.
  • Port Security: All internal services bound to localhost. No database or cache ports are exposed externally.
  • Health Monitoring: Automated watchdog checks every 5 minutes — containers, API health, error rates, disk, memory.
  • Encrypted Backups: Double-encrypted (GPG + transport encryption) backups stored in EU infrastructure.
  • Auto-Recovery: All services auto-recover from failures in under 60 seconds.
  • Anomaly Detection: Automated detection for authentication anomalies, admin action spikes, and suspicious patterns.
  • Supply Chain Pinning: All Docker images pinned to immutable SHA256 digests to prevent supply chain attacks.
  • Incident Response: Documented containment procedures with automated lockdown capabilities.