TimintTimint
Security

A server architecture engineered for your financial data

Timint runs on a V2 architecture where your counter, projections and recommendations are computed server-side, in a dedicated European infrastructure — never on your phone. Your data stays isolated, encrypted, and always under your control.

End-to-end encryption

All your data is encrypted in transit (TLS 1.3) and at rest (AES-256).

  • TLS 1.3 protocol for all communications
  • AES-256 encryption for stored data
  • Encryption keys rotated regularly

Enhanced authentication

Protect your account with multiple layers of security.

  • Two-factor authentication (2FA)
  • Biometric login (Face ID / fingerprint)
  • Automatic app lock

Secure cloud infrastructure

Our servers are hosted on certified and redundant infrastructure.

  • Google Cloud Platform hosting (Europe)
  • ISO 27001 certified data centers
  • Automatic geo-replicated backups

Financial data protection

Your financial data benefits from enhanced protection.

  • Financial data isolated and encrypted separately
  • No direct access to your bank accounts
  • Payment information tokenization via Stripe

Access control

You maintain full control over your data and account.

  • Trusted device management
  • Login activity log
  • Remote logout from all devices

Security testing

Our application is regularly audited and tested.

  • Regular security audits
  • Penetration testing by independent experts
  • Responsible disclosure program

Server-first architecture (V2)

The computation of your counter, your snapshots and your recommendations runs server-side, never on your phone.

  • Business logic hosted in Firebase Cloud Functions (europe-west1)
  • 14 dedicated snapshot collections, isolated per user
  • Your phone only receives display-ready data, never the sensitive computation

Confidential-by-design AI Coach

Our AI Coach advisors run server-side; your personal context never leaves our infrastructure in clear text toward an external LLM provider.

  • Financial context anonymised before any LLM call
  • Zero-retention configuration enabled at OpenAI and Anthropic
  • AI logic not reverse-engineerable from the mobile bundle

Real-time resilience & time zones

The counter respects your time zone and survives connectivity interruptions.

  • TZ-aware midnight rollover (your local rhythm, never forced UTC)
  • Encrypted offline cache (80 MB) for continuity without connection
  • Server recompute triggered on every mutation (latency < 3 s)

Secrets management & rotation

Integration tokens (Shopify, Stripe, AI) are stored in Google Cloud Secret Manager — never bundled into the app.

  • No secret in the mobile bundle distributed on the stores
  • Documented rotation for API keys and sensitive credentials
  • Strict isolation between test and production environments

Auditing & native TTL

All sensitive actions are logged with a clear retention policy.

  • Firestore audit log with native 90-day TTL (automatic purge)
  • Per-user scoped cache wiped at sign-out
  • Multi-environment traceability for GDPR compliance

Certifications & compliance

GDPR

Compliant with the General Data Protection Regulation

PCI DSS

Payment data security standard (via Stripe)

SOC 2

Security and availability controls (infrastructure)

ISO 27001

Information security management system