Security at Archii

Archii Flashcards is built as an offline-first study tool with a strong emphasis on privacy. This page summarises the most important controls in place today.

Authentication & Access

• Firebase Authentication (email + Google Sign-In) handles user credentials; Archii never stores passwords.
• All API calls require a verified Firebase ID token, which is revalidated on every request.
• Admin access to Cloudflare, Stripe, and Firebase is protected with MFA and Cloudflare Access IP allow-lists.

Payments & Billing

• Stripe Checkout collects card data; Archii servers never see or store PAN/CVC information.
• 3D Secure is enabled wherever Stripe or the issuing bank requires it.
• Credit purchases are logged atomically in Cloudflare D1 so users can audit their AI usage history.

Application Security

• All traffic is served via HTTPS behind Cloudflare’s WAF with a strict Content-Security-Policy (no inline scripts).
• Rate limiting and abuse detection guard login, signup, and AI endpoints to stop card testing and brute-force attempts.
• We run dependency and Cloudflare Security Center scans before each release; findings are tracked in docs/security-scans.

Data Handling

• User-generated content (decks, sheets, AI outputs) lives in Cloudflare D1 with daily backups.
• Users can delete their account at any time; the deletion flow removes D1 data and the Firebase identity.
• We only collect the information needed to run the service (email, study data, usage credits).

Questions? Email support@archii.app and the team will respond within two business days.