Security
We take security seriously.
How we keep your data safe, and what to do if you find a vulnerability. We appreciate responsible reports.
How we secure your data
Six things we do to protect you.
Encryption in transit
All data between your device and our servers uses TLS 1.3. No exceptions.
Encryption at rest
Game data and account information is encrypted at rest using AES-256.
Minimal data collection
We only collect what's needed to operate the game. Less data = less risk.
Access controls
Strict role-based access internally. Production data access is logged and audited.
Third-party vetting
We evaluate the security practices of every vendor before use.
Dependency hygiene
Automated scanning for vulnerable dependencies with immediate patching.
Responsible disclosure
Found a vulnerability?
We welcome responsible disclosure. If you find a security issue, please email security@brainloom.fun with details.
We'll acknowledge your report within 24 hours, keep you informed as we investigate, and credit you in our changelog if you'd like (and the vulnerability is valid). Please don't publicly disclose the issue until we've had a chance to fix it.
security@brainloom.fun →What's in scope
- brainloom.fun and all subdomains
- Crux and Luma mobile apps (iOS and Android)
- Our game APIs and backend services
Out of scope
- Denial of service attacks or volumetric testing
- Social engineering of Brainloom employees
- Physical security
- Third-party services (App Store, Google Play)