Trust
Security
Mobile Developer (MoDev) — modev.app
A Product of Royal Legends Tech Solutions, Inc. (RLTS, Inc.) · Effective Date: May 13, 2026 · Last Updated: May 13, 2026
1. The Short Version
You are trusting MoDev with your API keys, your code, your conversations, and your work. This page is a plain-language summary of exactly how we protect that trust at the database layer — what we encrypt, what we never store, who can read what, and what happens when you leave. Every claim on this page is verifiable against our production database. If something here ever becomes untrue, that is a bug, and you should report it to security@rlt.solutions. We will fix it and update this page within 7 days.
2. What We Encrypt at Rest
Every sensitive value MoDev stores in its database is encrypted with AES-256-GCM. The encryption key is a 256-bit value stored exclusively in Vercel's sensitive environment-variable store, never committed to source code, never logged, never returned over any API. Encrypted columns, as of today: • Your API keys for every connected service — Anthropic, OpenAI, Gemini, GitHub, Vercel, Supabase, Stripe, Resend, Base44, and any custom provider you add. • Your OAuth tokens — Google (Gmail, Drive, Calendar) and Microsoft (Outlook, OneDrive). • Every message you send in chat, and every message the AI returns to you. • Every conversation title. • Every project context prompt — the per-project instructions you give the AI. • Every note written in the Notes section of a project. • Auto-introspected infrastructure metadata — the GitHub repos, Vercel projects, and Supabase project info MoDev caches to make tool calls faster. • Webhook signing secrets used to verify deploy notifications and repository events. A SQL query against the raw database for any of these columns returns a string starting with "v1:" followed by base64 ciphertext. The plaintext exists only in server memory during the one request that needs it.
3. How the Encryption Works
MoDev uses AES-256-GCM (Galois/Counter Mode), the authenticated-encryption standard recommended by NIST. Each value is encrypted with: • A fresh 96-bit initialization vector, generated cryptographically randomly per value. • A 128-bit authentication tag, which makes any tampering with the ciphertext detectable. • The 256-bit master key, scoped to Vercel Production and Preview environments only. The stored format is "v1:<base64-iv>:<base64-ciphertext-and-tag>". The "v1:" prefix lets us roll keys or upgrade algorithms in the future without losing access to older data. Decryption happens server-side, in the specific function handling the specific request that needs the value. Plaintext never crosses to your browser except for data you have always been entitled to see (your own chat messages, your own notes, your own connected service status).
4. What RLTS Staff Can See
The only personal data MoDev staff can access is what we need to operate the service: • Your name and email. • Your subscription plan and billing status. • Your workspace, project, and conversation IDs (UUIDs only — not contents). • Aggregate usage counts for the Moonlight tier (token tallies, not content). We cannot read your conversations. We cannot read your project notes. We cannot read your API keys or OAuth tokens. We cannot read your auto-cached infrastructure data. Not because of policy — because our database has only ciphertext for those fields, and decryption requires a key that does not sit on any developer machine. If the master key is lost, your encrypted data becomes unrecoverable to us. That is the design.
5. What We Never Store
• Payment cards. Stripe handles all card data. We see a Stripe customer ID and a subscription status. We never see your card number, expiry, CVC, or billing address (unless you give it to us in chat, in which case it lives encrypted alongside the rest of the conversation). • Passwords. Authentication is handled by Supabase Auth, which hashes passwords with bcrypt before any of our code touches them. We never see, log, or store your password in any form, encrypted or otherwise. • Your code repositories. When the AI reads or writes files in your GitHub, those requests go directly from our server to GitHub's API using your token. File contents pass through server memory for the duration of one request — they are not archived, logged, or replicated. • Your database contents. When the AI runs a query against your Supabase, the request goes directly to your Supabase project. Results are returned to your chat in your own UI session and are not persisted on our side beyond the encrypted message record.
6. In Transit
Every request to MoDev — from your phone to our servers, and from our servers to any third-party API you have connected — is encrypted in transit with TLS 1.2 or higher. Plain HTTP is rejected at the edge by Vercel and Supabase. Internal traffic between our application and our database goes over Supabase's private network with mutual authentication and TLS.
7. When You Disconnect a Service
The moment you click Disconnect on any service in Settings → Tools, MoDev immediately and synchronously deletes the credentials from our database. There is no soft-delete, no recoverable trash, and no asynchronous cleanup queue for credentials. The corresponding webhook (if any) is also deregistered from the third-party provider in the same request, so the connection is fully severed on both sides.
8. When You Delete Your Account
Account deletion happens in two stages: Immediately on click: your account is marked inactive, all sessions are invalidated, the Stripe subscription is canceled, and you lose all access. 30 days later: a nightly cron permanently purges every row associated with you — your auth user, your workspaces, your projects, your conversations, your messages, your notes, your API keys, your OAuth tokens, your integrations, and your webhook records. The 30-day window exists so you can recover from accidental deletions; after the window closes, the data is gone. This 30-day delay can be waived by emailing support@rlt.solutions and requesting immediate purge.
9. Subprocessors
MoDev relies on three subprocessors. We use no others. • Supabase — hosts the encrypted database, authentication, and realtime websockets. • Vercel — hosts the web application and serverless functions. • Stripe — handles all payment processing and billing data. Each is named in our Privacy Policy with a link to their respective data-processing terms. Whenever you connect an AI provider or third-party tool (Anthropic, OpenAI, Google, etc.), data sent to that provider is governed by that provider's terms.
10. Founder Commitment
MoDev was built by one person on a phone. There is no engineering team that "could" access your data — there is just the founder, and a database whose sensitive columns are unreadable without a key that lives only in Vercel's secure infrastructure. The encryption is not a checkbox for a compliance form. It is the technical guarantee that backs every claim in the Privacy Policy. If a court order, a security researcher, or a malicious actor compromises our database, what they walk away with is ciphertext. If anything on this page ever stops being true, that is a bug. Report it to security@rlt.solutions and we will fix it and update this page within 7 days.
Related: Privacy Policy · Terms of Service