We take security seriously.
What we do to protect your data, and how to reach us if you find something we missed.
How we protect your data.
Encryption
In transit and at rest.
All traffic uses TLS 1.2 or higher. Database backups and customer data at rest are encrypted using provider-managed keys.
Authentication
Password and 2FA.
Passwords are hashed with industry-standard algorithms. TOTP-based two-factor authentication is available on every account, with single-use backup codes.
Access controls
Least-privilege by default.
Role-based access at the organization level, plus a dedicated admin role for site-wide moderation. Every privileged action is written to an audit log.
Auditability
Tamper-evident logs.
Authentication events, role changes, and administrative actions are recorded with PII redaction enabled by default and 90-day retention.
Responsible disclosure.
Found a vulnerability? Email [email protected]. Please include reproduction steps, affected URLs, and your assessment of impact. We aim to acknowledge reports within two business days and to work with you toward a coordinated fix.
Our machine-readable disclosure contact is published at /.well-known/security.txt per RFC 9116.
See also our Privacy Policy and our Terms of Service for what data we process and on what basis.