> ## Documentation Index
> Fetch the complete documentation index at: https://help.rytz.com.au/llms.txt
> Use this file to discover all available pages before exploring further.

# Account security

> Two-factor authentication, session management, sign-out everywhere, family-violence safe-exit, and the security practices RYTZ recommends for accounts holding active matter data.

import { CardGroup, Card, Note, Tip, Warning, Steps, Step } from '@mintlify/components'

Family-law matter data is some of the most sensitive data a person will store anywhere. This page covers the security practices RYTZ recommends for accounts holding active matter data — what the platform offers, what to enable, and what to do if you suspect compromise.

## Two-factor authentication (2FA)

**Strongly recommended for every active matter.** 2FA prevents someone with your password alone from accessing your account.

### Enabling 2FA

<Steps>
  <Step title="Open Settings → Security">
    From the user menu (top-right) → Settings → Security.
  </Step>

  <Step title="Choose your 2FA method">
    Two options:

    * **Authenticator app** (recommended) — Google Authenticator, Authy, 1Password, Bitwarden. Standard TOTP. Most secure.
    * **SMS** — code sent to a registered phone number. Less secure than authenticator app; use only if authenticator app isn't an option.
  </Step>

  <Step title="Scan the QR code (authenticator)">
    For authenticator-app 2FA, the platform shows a QR code. Scan with your chosen app. The app generates a 6-digit code that rotates every 30 seconds.

    Save the recovery codes shown alongside the QR code somewhere safe (password manager, printed and stored offline). These are your backup if you lose access to the authenticator device.
  </Step>

  <Step title="Verify with the first code">
    Enter the current 6-digit code from your authenticator app. The platform confirms 2FA is active.
  </Step>
</Steps>

### What 2FA does

Once enabled, every sign-in (after password) requires a second factor:

* Authenticator app: enter the current 6-digit code
* SMS: enter the 6-digit code sent to your phone

A successful sign-in on a device gives that device a session of up to 30 days. Within that window, 2FA isn't re-prompted.

### Recovery if 2FA device is lost

If you lose the device with your authenticator app:

1. Use one of the recovery codes (saved when you set up 2FA) to sign in
2. Disable 2FA on the recovered account
3. Re-enable 2FA on a new device

If you don't have recovery codes and can't access the registered phone (for SMS 2FA), contact [tech@rytz.com.au](mailto:tech@rytz.com.au) for manual recovery. The platform requires identity verification for manual recovery — be prepared to confirm your identity through your registered email + additional information.

## Family-violence safe-exit

For users with FV disclosed in their case file, the platform offers **safe-exit** — a one-click feature that closes the platform and clears the browsing trail for the current session.

### Enabling safe-exit

Safe-exit is enabled by default for FV-disclosed users. To enable manually (if you want it as a precaution without FV disclosure):

<Steps>
  <Step title="Open Settings → Security → Safe-exit">
    Look for the Safe-exit toggle.
  </Step>

  <Step title="Toggle on">
    The Safe-exit button appears top-right of every screen.
  </Step>

  <Step title="Configure exit destination">
    What page do you want safe-exit to take you to? Default is google.com (innocuous and broadly searched). You can customise to bbc.com, weather.com, or any other innocuous destination.
  </Step>
</Steps>

### What safe-exit does

When you click the Safe-exit button:

1. Sign out of RYTZ immediately
2. Replace the current browser tab with the configured destination
3. Trigger the browser's "back button doesn't return to RYTZ" pattern (best-effort; depends on browser)
4. Optionally clear browser history for the session (where supported)

<Warning>
  **Safe-exit is best-effort, not perfect.** Browser histories, network logs, and device-level monitoring can still reveal that RYTZ was visited. Safe-exit is designed for casual-monitoring scenarios (a partner glancing at the device), not for sophisticated surveillance. If you have reason to believe you're under sophisticated monitoring, consult a family-violence specialist about device safety in addition to using safe-exit.
</Warning>

## Session management

The Settings → Security page shows every active session — the device, browser, IP address, and last-activity time for each.

### What to do with sessions

* **Sign out a specific session** — for a device you no longer use (sold laptop, replaced phone)
* **Sign out everywhere** — for situations where you suspect compromise
* **Sign out all except current** — single-click to retain only the device you're on

The "Sign out everywhere" button is particularly useful in compromise scenarios: even if someone has access to a session token from another device, signing out everywhere terminates that session.

## Strong-password practices

If using email + password sign-in:

<CardGroup cols={2}>
  <Card title="Use a password manager" icon="key">
    1Password, Bitwarden, LastPass, or your browser's built-in. Generate a unique strong password for RYTZ. Don't reuse a password from another service.
  </Card>

  <Card title="Length matters more than complexity" icon="ruler">
    A 16-character random password is far stronger than an 8-character one with special characters. Modern password-cracking tools handle complexity easily; length is the harder problem.
  </Card>

  <Card title="Don't share your password" icon="user-slash">
    Even with someone who 'helps' with the matter (a family member, a friend). Sharing access compromises 2FA's value. If genuine multi-user access is needed, contact support for guidance.
  </Card>

  <Card title="Rotate after suspected compromise" icon="rotate">
    If you suspect the password has been seen by anyone (over your shoulder, on a shared device), change it immediately.
  </Card>
</CardGroup>

## What if I suspect my account was accessed?

Three immediate actions:

<Steps>
  <Step title="Sign out everywhere">
    From Settings → Security. Terminates every active session including any unauthorised one.
  </Step>

  <Step title="Change your password">
    Set a new strong password (use a password manager).
  </Step>

  <Step title="Re-enable 2FA on a new device if needed">
    If 2FA was previously enabled but you suspect the second-factor device is compromised, disable + re-enable 2FA on a fresh device.
  </Step>
</Steps>

Then contact [tech@rytz.com.au](mailto:tech@rytz.com.au) with a description of what makes you suspect access. The platform's logs can confirm whether unauthorised access occurred and produce a forensic summary if needed for your matter.

## What the platform does at the infrastructure level

A high-level summary of what runs underneath:

* **Encryption at rest** — AES-256 encryption for all stored data including evidence uploads, drafts, conversation history
* **Encryption in transit** — TLS 1.3 for all client-server communication
* **Australian-jurisdiction storage** — data centres in Australia for AU-located accounts
* **Daily backups** — encrypted, retained per the platform's data-retention policy
* **Security audits** — independent annual penetration testing, results summarised in [Privacy and data](/account/privacy-and-data)
* **Incident-response policy** — formal notification procedures if a breach affects user data

For deeper detail, the platform's public Security & Trust page is at [/security](https://app.rytz.com.au/security) (or /trust as alias).

## Pre-shared sensitive data — what to do

Some users sign up after sharing sensitive data with a previous platform (a generic AI chatbot, a Google Doc, an email thread). If that's you:

* **Audit what's been shared elsewhere.** Do you have data on a previous platform that should now be deleted?
* **Migrate substantively.** Treat RYTZ as the new home for the matter; consolidate evidence here, archive elsewhere.
* **Don't paste highly sensitive content into AI chats outside this platform.** Other AI chats may use your inputs in ways that don't fit your matter's privacy needs.

## What's next

<CardGroup cols={2}>
  <Card title="Settings" icon="gear" href="/account/settings">
    The full settings hub including Security.
  </Card>

  <Card title="Privacy and data" icon="lock" href="/account/privacy-and-data">
    What data the platform stores and how it's protected.
  </Card>

  <Card title="Signing in" icon="right-to-bracket" href="/getting-started/signing-in">
    Sign-in methods and 2FA recovery.
  </Card>

  <Card title="Limits and safety (AI)" icon="shield-check" href="/ai/limits-and-safety">
    Family-violence safety overlay applied to AI interactions.
  </Card>
</CardGroup>
