Trust

Security at Barliva

Last updated: 7 June 2026

TLS everywhereDefault-deny firewallKey-only accessResponsible disclosure

We take the security of your data seriously. This page summarises the technical and organisational measures we use to protect the Barliva Services, and how to report a vulnerability if you find one.

Encryption in transit

All traffic is served exclusively over HTTPS with modern TLS. HTTP is redirected to HTTPS and we send HSTS headers.

Encryption at rest

Credentials are stored only as salted hashes. Databases and object storage holding user data are encrypted at rest.

Hardened infrastructure

Services run on access-controlled Linux hosts with a default-deny firewall, automatic security patching, and intrusion prevention.

Least privilege

Internal services (cache, object storage, metrics) are bound to private interfaces and never exposed publicly. Admin access is key-based and scoped.

01Our practices

Network security. A firewall allows only the ports required to serve the app (HTTPS) and secured administrative access. Backend datastores, caches, and metrics endpoints listen only on loopback or private networks.
Authentication. Remote server access requires SSH keys; password authentication is disabled. Application accounts use hashed credentials and support session expiry.
Patching. Operating-system and dependency security updates are applied promptly, with unattended security upgrades enabled.
Monitoring & logging. We collect system and application metrics and retain audit logs to detect and investigate anomalies.
Backups. User data is backed up on a regular schedule with defined retention, supporting recovery from incidents.
Data minimisation. We collect only what we need, and barcode images are processed on-device rather than uploaded by default. See our Privacy Policy.

02Responsible disclosure

We welcome reports from security researchers. If you believe you've found a vulnerability, email security@barliva.com with:

A description of the issue and its potential impact;
Steps to reproduce (proof-of-concept where possible);
Any relevant URLs, requests, or screenshots.

Please give us reasonable time to investigate and remediate before any public disclosure, and avoid accessing or modifying other users' data, degrading our services, or running automated scans that could cause harm. We'll acknowledge your report, keep you updated, and credit researchers who responsibly disclose, where desired.

Safe harbour: we will not pursue legal action against researchers who act in good faith, follow this policy, and avoid privacy violations or service disruption.

03Contact

Security team: security@barliva.com
For privacy questions, see our Privacy Policy.

This page describes our security program in general terms and may evolve as our infrastructure does. It is provided for transparency and is not a contractual warranty.