Security

We take security seriously.

How we keep your data safe, and what to do if you find a vulnerability. We appreciate responsible reports.

How we secure your data

Six things we do to protect you.

Encryption in transit

All data between your device and our servers uses TLS 1.3. No exceptions.

Encryption at rest

Game data and account information is encrypted at rest using AES-256.

Minimal data collection

We only collect what's needed to operate the game. Less data = less risk.

Access controls

Strict role-based access internally. Production data access is logged and audited.

Third-party vetting

We evaluate the security practices of every vendor before use.

Dependency hygiene

Automated scanning for vulnerable dependencies with immediate patching.

Responsible disclosure

Found a vulnerability?

We welcome responsible disclosure. If you find a security issue, please email security@brainloom.fun with details.

We'll acknowledge your report within 24 hours, keep you informed as we investigate, and credit you in our changelog if you'd like (and the vulnerability is valid). Please don't publicly disclose the issue until we've had a chance to fix it.

security@brainloom.fun

What's in scope

  • brainloom.fun and all subdomains
  • Crux and Luma mobile apps (iOS and Android)
  • Our game APIs and backend services

Out of scope

  • Denial of service attacks or volumetric testing
  • Social engineering of Brainloom employees
  • Physical security
  • Third-party services (App Store, Google Play)