Typossum

Security Policy

Our commitment to protecting your data and our responsible disclosure program

Last Updated: January 17, 2026

TLS 1.2+ Encryption

All data encrypted in transit

24h Response Time

For urgent security issues

Safe Harbor

For responsible disclosure

Found a Security Vulnerability?

We appreciate responsible disclosure. Report security issues to our security team.

Table of Contents

1. Introduction

At Typossum, we are committed to protecting the security of your data and maintaining the integrity of our platform. This Security Policy outlines our security practices, how we handle security vulnerabilities, and what you can do to help keep our platform secure.

Our security practices apply to all Typossum products and services, including:

  • Android Keyboard Application
  • Browser Extension
  • Website
  • Backend Services

We take security seriously and continuously work to improve our security posture. If you discover a vulnerability, we encourage you to report it responsibly so we can address it promptly.

2. Reporting Security Issues

2.1 Responsible Disclosure

We welcome responsible disclosure from security researchers and ethical hackers. We believe that working with skilled security researchers across the globe is crucial to identifying weaknesses in our systems.

If you believe you have found a security vulnerability in any Typossum product or service, we encourage you to notify us. We will investigate all legitimate reports and do our best to quickly fix the problem.

2.2 How to Report

Email:

When reporting a vulnerability, please include the following information to help us understand and reproduce the issue:

  • Detailed description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions to help us verify the issue
  • Proof-of-concept code, screenshots, or logs (if applicable)
  • Impact assessment describing how this vulnerability could be exploited
  • Your contact information for follow-up questions (email preferred)
  • Affected product(s) - Android app, browser extension, website, or backend

2.3 Our Commitment

When you report a security vulnerability to us, we commit to:

  • Acknowledging receipt of your report within 1 business day
  • Providing an initial assessment within 5 business days
  • Working collaboratively with you to understand and validate the issue
  • Keeping you informed of our progress toward remediation
  • Crediting you (if you wish) when we publicly disclose the vulnerability
  • Not pursuing legal action against researchers who report in good faith

2.4 Safe Harbor

We support safe harbor for security researchers who:

  • Make a good faith effort to avoid privacy violations, data destruction, and service disruption
  • Only interact with accounts they own or with explicit permission of the account holder
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Report findings promptly and do not disclose publicly until we have had reasonable time to address the issue
  • Do not engage in social engineering, phishing, or physical attacks against our employees or infrastructure

2.5 Recognition

We may offer recognition or rewards for valid security reports based on the severity and impact of the vulnerability. Rewards are determined at our sole discretion and may include:

  • Public acknowledgment on our security page (with your permission)
  • Typossum premium subscription credits

2.6 Out of Scope

The following are generally considered out of scope for our security program:

  • Denial of service (DoS/DDoS) attacks
  • Social engineering or phishing attacks
  • Physical attacks against our offices or data centers
  • Attacks requiring physical access to a user's device
  • Vulnerabilities in third-party applications or services we don't control
  • Spam or social engineering techniques
  • Issues that require unlikely user interaction
  • Clickjacking on pages with no sensitive actions
  • Missing security headers that don't lead to direct exploitation
  • Reports from automated vulnerability scanners without proof of exploitability
  • Reports generated by AI

3. Security Practices

3.1 Data Protection

We implement multiple layers of protection to safeguard your data:

Encryption in Transit
  • All data transmitted between your device and our servers uses TLS 1.2 or higher
  • We enforce HTTPS across all our web properties
  • API communications use secure, encrypted channels
Data Minimization
  • We collect only the data necessary to provide our services
  • User data is stored securely with appropriate access controls
Access Controls
  • Access to production systems is restricted to authorized personnel
  • We follow the principle of least privilege for all system access
  • Administrative access requires multi-factor authentication

3.2 Authentication and Session Management

Authentication:

  • We use industry-standard authentication services for secure user identity management
  • Support for industry-standard OAuth 2.0 providers
  • Secure password hashing with appropriate work factors
  • Account lockout protection against brute-force attacks

Session Management:

  • Secure, HTTP-only cookies for session management
  • Session tokens are cryptographically random and sufficiently long
  • Sessions expire after periods of inactivity

3.3 Infrastructure Security

Cloud Infrastructure:

  • Hosted on enterprise-grade cloud infrastructure with industry-leading security
  • Regular security patching and updates
  • Automated vulnerability scanning
  • DDoS protection through cloud provider

Application Security:

  • Regular security assessments and code reviews
  • Dependency scanning for known vulnerabilities
  • Input validation and output encoding to prevent injection attacks
  • Content Security Policy (CSP) headers to mitigate XSS attacks

3.4 Incident Response

In the event of a security incident:

  1. Detection: We monitor for security events and respond to reports
  2. Containment: We take immediate action to contain the incident
  3. Assessment: We assess the scope and impact of the incident
  4. Notification: We notify affected users and authorities as required by law
  5. Remediation: We fix the underlying vulnerability
  6. Post-Incident Review: We conduct a review to prevent future incidents
Data Breach Notification: As detailed in our Privacy Policy, in the event of a data breach, we will notify affected users via email within 72 hours of becoming aware of the breach, notify relevant supervisory authorities where required by law, and provide information about the breach and steps to protect yourself.

4. User Responsibilities

Security is a shared responsibility. To help keep your account and data secure, we ask that you:

4.1 Account Security

  • Use strong, unique passwords for your Typossum account
  • Keep your authentication credentials secure and do not share them with others
  • Use trusted devices when accessing your account
  • Sign out when using shared or public devices

4.2 Safe Usage

  • Keep your devices updated with the latest security patches
  • Use reputable antivirus software on your devices
  • Be cautious of phishing - we will never ask for your password via email
  • Verify you're on the correct website before entering credentials
  • Review connected applications and revoke access to any you no longer use

4.3 Reporting

  • Report suspicious activity on your account immediately to
  • Report security vulnerabilities to
  • Notify us if you believe your account has been compromised

4.4 Content Guidelines

  • Do not submit sensitive data such as credit card numbers, passwords, or government IDs through our text correction features
  • Be mindful of confidential information when using AI features, as text is transmitted to third-party providers for processing
  • Comply with applicable laws regarding the data you submit

5. Policy Updates

We reserve the right to modify this Security Policy at any time. When we make changes:

  • We will update the “Last Updated” date at the top of this document
  • For material changes, we may notify you by email or through the Service
  • Your continued use of the Service after changes constitutes acceptance

We encourage you to review this Security Policy periodically to stay informed about our security practices.

Contact Information

Security Issues

General Support

Privacy Inquiries

Acknowledgments

We thank the security researchers who help us keep Typossum secure through responsible disclosure. If you have reported a valid vulnerability and wish to be acknowledged, please let us know when submitting your report.

Related Policies

This Security Policy complements our Privacy Policy and Terms of Service. Please review all documents to understand how we protect your data and your rights as a user.