All traffic is served exclusively over HTTPS/TLS. We enforce HTTP Strict Transport Security (HSTS) so browsers only ever connect over an encrypted channel.
Login tokens are stored in httpOnly, Secure, SameSite=Strict cookies and are never exposed to client-side JavaScript or browser storage. Access tokens are short-lived (15 minutes) with automatic rotation, limiting the impact of any single leaked token.
Every access-control decision is enforced on the server. Your areas of interest, searches and preferences are scoped to your account — other users cannot read or address your data, even by guessing identifiers.
We apply a Content-Security-Policy and a baseline of security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) across the application to reduce the risk of injection and clickjacking.
No credentials or signing keys are shipped to the browser or committed to source control. Sensitive operations and signing keys remain server-side only.
We collect the minimum data needed to operate the service, and analytics are anonymised (IP addresses are truncated). You can export or permanently delete your account data at any time from Settings → Privacy & Data. See our Privacy Policy for details.
If you discover a security issue, please report it to [security email]. We welcome responsible disclosure and will work with you to resolve verified issues promptly.
We are not currently certified under ISO 27001 or SOC 2. For enterprise engagements with specific compliance requirements, please contact us to discuss your needs.