Apr 28, 2026

Security Overview

Technical and organizational measures Wallper uses to protect the app, infrastructure, and your data.

Our Approach to Security

Security is a core part of how we build and operate Wallper. This document describes the technical and organizational measures we apply to protect the Wallper macOS application, its backend services, and the personal data we process on behalf of our users.

We take a defense-in-depth approach: layered controls across network, infrastructure, application, and operational levels. Where industry standards exist (e.g., OWASP, CIS Benchmarks), we use them as baselines.

Infrastructure

Backend services run on a Wallper-controlled dedicated server hosted with OVH (EU data centers).
All wallpaper assets are stored on the same OVH-hosted infrastructure with encryption at rest.
Internal traffic between services uses TLS and is restricted by firewall rules and least-privilege access.
Stripe is the sole payment processor; we do not store full card data on our infrastructure.
Vercel is used for the website with global edge delivery, automated TLS, and DDoS protections.

Application Security

All public endpoints are served exclusively over HTTPS/TLS with modern cipher suites.
License validation uses signed, server-issued tokens bound to a hardware identifier (HWID).
We follow secure-coding practices and review changes before deployment.
Dependencies are kept up to date and monitored for known vulnerabilities.
Public gallery submissions are reviewed before being published to other users.

Access Control

Administrative access is restricted to a small number of authorized maintainers.
All accounts with access to production systems require strong, unique credentials and MFA.
Access is granted on a least-privilege basis and reviewed periodically.
Sensitive credentials are stored in a secrets manager and never committed to source control.

Data Protection

Encryption in transit (TLS 1.2+) for all client–server communication.
Encryption at rest for stored wallpapers, license records, and operational data.
Personal data is minimized: we only collect what is needed to operate the Service.
Backups are taken regularly and stored in encrypted form.

Monitoring and Incident Response

We monitor our services for availability, error rates, and suspicious activity. If we detect or are notified of a security incident, our goal is to investigate quickly, contain impact, and communicate clearly with affected users.

We follow an internal incident response process that covers triage, mitigation, and post-mortem.
Where a personal data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority and affected users in accordance with applicable law (e.g., Article 33–34 GDPR).
Status updates and known incidents are published on our status page where applicable.

Reporting a Vulnerability

If you believe you have found a security vulnerability in Wallper, we appreciate responsible disclosure. Please email support@wallper.app with the subject line “Security Report” and include enough technical detail for us to reproduce the issue.

Do not access, modify, or delete data that does not belong to you.
Do not perform attacks that could degrade service for other users (e.g., DoS).
Give us a reasonable time to investigate and remediate before any public disclosure.
We will acknowledge valid reports and keep you informed about remediation status.

Shared Responsibility

Security is a shared responsibility. We recommend keeping macOS and the Wallper app up to date, using a strong password and MFA on your Apple ID and email, downloading the app only from official sources, and never sharing your license key.