We take the security of your data seriously. Here's how we protect it.
Passwords are hashed using bcrypt with a unique salt per user. We never store or log plain-text passwords.
Session cookies are HTTP-only, SameSite=Lax, and Secure over HTTPS preventing XSS and CSRF attacks.
Every project is scoped to its owner via compound indexes. A user can never access another user's data, even if they know a project ID.
All user inputs are validated server-side. Email addresses are verified against live DNS MX records at registration.
All traffic is served over HTTPS. Secure cookie flag is enforced automatically in production.
Hosted on secure infrastructure providing encryption at rest and in transit as standard.
Found a security vulnerability? Please report it responsibly via our contact form and we'll respond promptly.
Report a vulnerability