Simeon Pashley

WriteDaily Security Review: How We Handle Your Writing Data in 2022

I commissioned a security review of WriteDaily this summer — the first formal audit in the tool’s nine-year history. With GDPR considerations and growing awareness of cloud privacy, it felt like the right time.

What the Review Covered

  • Infrastructure security — server configuration, access controls, network exposure
  • Application security — auth flow, session management, input validation, XSS/CSRF protections
  • Data handling — storage, encryption, backup practices, retention policies
  • Privacy compliance — data collection, user consent, deletion workflows

Findings

The review surfaced two areas for improvement:

Session management. The original session timeout was generous (30 days). Reduced to 7 days with automatic logout. A minor convenience trade-off for a meaningful security improvement.

Backup encryption at rest. Backups were encrypted in transit but stored unencrypted on the backup server. Now encrypted at rest with AES-256. The backup server itself is air-gapped from public access.

No critical vulnerabilities were found. The review validated several design decisions:

  • No third-party scripts or tracking on any page
  • No external API calls during the writing or analysis flow
  • Export functionality works correctly and includes all user data
  • TLS configuration meets current best practices

Privacy Roadmap Update

The 2016 privacy post outlined three long-term goals. Here’s where they stand:

  1. Client-side sentiment analysis. The LIWC2007 dictionary is small enough for browser-side processing. I’ve prototyped a JavaScript port of the parser. Not yet production-ready, but technically feasible.

  2. End-to-end encryption for entries. Still under research. The challenge is balancing encryption with the server-side features that depend on plaintext access (sentiment analysis, word counting, pace tracking). Moving sentiment analysis client-side would unblock this.

  3. Deletion guarantees. Implemented. Account deletion now irreversibly removes all entries, pace data, sentiment arrays, and user records. Confirmation email sent on completion.

What WriteDaily Doesn’t Have

Sometimes it’s worth stating what a product doesn’t collect:

  • No analytics or tracking scripts
  • No advertising identifiers
  • No social graph or contact imports
  • No cookie consent banner (because there are no tracking cookies)
  • No third-party data processors

WriteDaily at writedaily.co remains what it’s always been: a private writing tool. The security review confirmed that foundation is solid, and highlighted where to reinforce it.

logo

I Create Reach.
I Generate Impact.
I Amplify.