Security at Prep
Nothing is uncrackable. Our job is to make attacks more expensive than a subscription. Here are the layers, plainly.
Identity in 6 layers
Passwordless from day 1. OTP + WebAuthn passkey + ECDSA device key in Secure Enclave / Keystore / TPM + biometric gate.
Request signing on every call
Every authed API call is HMAC-signed with the device key, timestamped, and nonce-tracked in Redis. Replay-proof.
App attestation
Apple App Attest + Google Play Integrity validated at registration and weekly. Rooted / repackaged builds refused.
Anti-cheat in depth
Per-question time anomaly, IP/geo jumps, app-background detection, multi-face camera, collusion graph, honeypot MCQs.
Audit log + bug bounty
Every admin action, content state change, payment event appended (signed, append-only). Public bug bounty post-launch.
Compliance map
GDPR · India DPDP · COPPA · CCPA · UK GDPR · PCI-SAQ-A (via Stripe/Razorpay) · SOC2 Type I in P3.
Found a vulnerability?
Email security@prep.app (PGP at /.well-known/security.txt). Critical: $5,000. High: $1,000. Median response: 24 h.