HafizPrime
Features For Teachers Learn Blog Help About Download Free

Security at HafizPrime

Infrastructure

  • All traffic is served over TLS 1.3. HSTS with preload enabled.
  • Origin behind Cloudflare WAF with OWASP Top 10 ruleset.
  • DNSSEC enabled at the registrar.
  • Origin databases are isolated in a private VPC with no public ingress.
  • Encryption at rest (AES-256) for all user data.

Application

  • Passwords hashed with argon2id.
  • 2FA (WebAuthn preferred) available to every user.
  • Admin 2FA is required.
  • CSRF protection on all authenticated endpoints.
  • Strict CSP on the marketing site and admin.
  • Content signed with SRI where applicable.

AI & audio

  • Recitation audio deleted from servers within 30 days.
  • AI Coach prompts and responses logged for quality review; user identifiers are hashed.
  • No recitation audio used to train third-party models.

Operations

  • Quarterly internal security review.
  • Annual external penetration test (report available to enterprise customers under NDA).
  • Active bug bounty program — see security.txt.
  • 30-day offsite backup retention with monthly restore tests.

Responsible disclosure

Report vulnerabilities to security@hafizprime.com. PGP key available on request. We:

  • Acknowledge within 24 hours.
  • Triage within 3 business days.
  • Patch critical issues within 14 days.
  • Credit researchers (with consent) in our Hall of Fame.

Hall of Fame

Coming soon — report a valid vulnerability to be listed.

Install HafizPrime

Add it to your home screen for quick access.

We respect your privacy.

We use cookies only for essential functionality and anonymous analytics. No ad tracking, ever. Learn more