# SyncXP Snap — App Encryption & Security Documentation

**Version:** 2.0.1  
**Last Updated:** June 2026  
**Platform:** iOS and Android

---

## Overview

SyncXP Snap is a receipt-capture utility that uploads photos directly to the user's personal cloud storage account (Dropbox, OneDrive, or Google Drive). This document explains how the app protects data in transit and at rest.

---

## Data in Transit (Network Encryption)

### HTTPS/TLS Encryption

All network communications between SyncXP Snap and cloud providers use **HTTPS with TLS 1.2 or higher**:

| Service | Endpoint | Protocol | Certificate Pinning |
|---------|----------|----------|---------------------|
| **Dropbox API** | `api.dropboxapi.com` | HTTPS/TLS 1.2+ | No |
| **Dropbox Content** | `content.dropboxapi.com` | HTTPS/TLS 1.2+ | No |
| **OneDrive/Microsoft Graph** | `graph.microsoft.com` | HTTPS/TLS 1.2+ | No |
| **Google Drive API** | `www.googleapis.com` | HTTPS/TLS 1.2+ | No |

All API calls use standard TLS certificate validation (no custom encryption layer). The cloud providers' SSL/TLS certificates are verified against the system trust store.

### What Is Encrypted in Transit

- **OAuth access tokens** — transmitted only over HTTPS when exchanging authorization codes for tokens
- **Receipt photos** — encrypted by TLS during upload to cloud storage
- **File metadata** (folder names, file paths) — encrypted by TLS
- **API requests and responses** — all encrypted by TLS

### What Is NOT Encrypted by the App

- **Cloud provider identities** — Dropbox, OneDrive, and Google Drive know which account is uploading (this is inherent to the service)
- **Photo contents** — the cloud provider can see the images once received (same as any cloud upload)

---

## Data at Rest (Storage)

### On the Device

SyncXP Snap stores minimal data locally on your device:

| Data | Storage Location | Encryption | Details |
|------|------------------|-----------|---------|
| **OAuth Access Token** | Device Secure Store (iOS Keychain / Android Keystore) | OS-level encryption | Automatically encrypted by iOS/Android |
| **User Preferences** | Device Local Storage | App-level (if sensitive) | Folder/category selections, account info |
| **Cached Photos** | Device Temporary Directory | Not encrypted | Temporary—cleared after upload or app reset |

**iOS:** Access tokens are stored in **iOS Keychain** with `kSecAttrAccessibleAfterFirstUnlock` protection, which encrypts data using the device passcode.

**Android:** Access tokens are stored in **Android Keystore** with hardware-backed encryption when available, or OS-level software encryption.

### On Cloud Servers

Once uploaded, receipt photos are stored in **your personal cloud account** (Dropbox, OneDrive, or Google Drive). SyncXP Snap does not store copies on our servers.

- **Dropbox:** Uses AES-256 encryption for data at rest ([Dropbox Security](https://www.dropbox.com/security))
- **OneDrive:** Uses AES-256 encryption and BitLocker ([Microsoft Security](https://www.microsoft.com/en-us/security))
- **Google Drive:** Uses AES-128 encryption and 2-step verification ([Google Security](https://support.google.com/drive/answer/2884871))

---

## Authentication & Authorization

### OAuth 2.0

SyncXP Snap uses **OAuth 2.0** for cloud authentication. Users sign in directly with their cloud provider (Dropbox, Microsoft, or Google). 

- **The app never sees your password** — only the access token
- **Access tokens are short-lived** — they expire and require re-authentication
- **Users control permissions** — you grant only the scopes the app needs (e.g., "upload files," "read file list")
- **You can revoke access anytime** — through your cloud provider's account settings

---

## Security Best Practices

### For Users

1. **Use a strong device passcode** — protects the Keychain/Keystore where your access token is stored
2. **Enable biometric unlock** — Face ID or fingerprint adds a second layer
3. **Keep your device updated** — OS security patches fix vulnerabilities
4. **Sign out if you lose your device** — revoke the app's access in your cloud provider's account
5. **Review app permissions** — the app only needs `files.content.write` and `files.content.read`

### For the App

- No third-party analytics or tracking
- No ad networks or SDKs
- No data sharing with external parties
- No local logging of sensitive data
- No custom encryption (relying on proven TLS + cloud provider security)

---

## What We Don't Do

- ❌ Store your photos on our servers
- ❌ Collect or share your personal data
- ❌ Use your data for advertising or profiling
- ❌ Implement custom encryption (relies on TLS + cloud provider standards)
- ❌ Access your files without explicit user action
- ❌ Log or monitor your uploads

---

## Export Compliance

SyncXP Snap uses only **standard HTTPS/TLS encryption** (no custom encryption, key derivation, or cryptographic algorithms). It qualifies for the U.S. Export Administration Regulations (EAR) **encryption exemption** (§740.13(e)) and does not require export licenses.

---

## Third-Party Security Audits

SyncXP Snap has not undergone a formal third-party security audit. If your organization requires one, contact [support@syncxp.co.uk](mailto:support@syncxp.co.uk).

---

## Reporting Security Issues

If you discover a security vulnerability in SyncXP Snap, please email **[security@syncxp.co.uk](mailto:security@syncxp.co.uk)** with details. Do not publicly disclose the issue until we've had time to investigate and patch.

---

## Questions?

For more information about privacy, see our [Privacy Policy](https://syncxp.co.uk/privacy.html).  
For support, contact [support@syncxp.co.uk](mailto:support@syncxp.co.uk).
