Encryption & Data Controls
Data in transit is protected by TLS 1.3. At rest, stored geolocation coordinates are application-layer encrypted with AES-256-GCM using per-user keys; images and analysis records sit on managed Postgres with infrastructure disk encryption. You can delete your analysis history at any time from your settings.
Encryption at rest
Location coordinates stored in Oceanir's database are application-layer encrypted with AES-256-GCM using per-user keys derived from a master secret stored separately from the database. Images, analysis metadata, and result records rely on infrastructure-level disk encryption (AES-256 block-level on managed Postgres volumes) plus TLS-encrypted internal networking. Per-user keys are derived deterministically and not stored alongside the data they protect.
// Encryption envelope
{
"algorithm": "AES-256-GCM",
"key_id": "usr_k1_a8f3...",
"iv": "base64-encoded-nonce",
"ciphertext": "base64-encoded-encrypted-data",
"tag": "base64-encoded-auth-tag"
}Encryption in transit
All API communication uses TLS 1.3. We enforce HSTS with a minimum TLS version of 1.2 and reject weak cipher suites. Certificate pinning is available for mobile SDKs.
Automatic data expiry
Expired data is cryptographically shredded — encryption keys are destroyed first, rendering the ciphertext permanently unreadable even if storage media is compromised. This is not soft deletion; recovery is impossible by design.
No bulk downloads
Oceanir does not provide bulk data export or dataset downloads. Results are accessible only via individual API requests tied to authenticated sessions. This prevents mass collection of location data.