Security at Roost
Your household admin contains some of your most sensitive information — policy numbers, account details, emergency contacts. Here is exactly how we protect it.
Personal items are end-to-end encrypted
Items you keep private are encrypted on your device before they leave it. Roost cannot read them. Nobody can read them without your key. This applies to all vault items, lists, routines and notes you mark as personal.
Shared items use server-side encryption with row-level security
When you share an item with your household, it is encrypted at rest in our database. Row-level security policies mean that only the people you have explicitly shared with can query that data — at the database level, not just at the application level.
No passwords
Roost uses one-time codes sent to your email, and Sign in with Apple on iOS. There is no password to phish, leak, or forget.
Optional app lock
Enable biometric or passcode lock on the iOS app so the app requires authentication to open, even if your phone is unlocked.
Infrastructure
Roost is built on Supabase (Postgres with row-level security) and hosted on Vercel. Both operate under SOC 2 Type II certification. Your data is stored in the EU.
Account deletion
Any user can permanently delete their account and all associated data from Settings. This removes everything stored in Roost — vault items, lists, routines and household links.
Questions about security? Email hello@getroost.io