Security

Security practices

✓

Encryption in transit: All traffic uses TLS 1.2+ (enforced by Vercel). No unencrypted HTTP.

✓

Encryption at rest: Database (Turso/libSQL) and file storage (Cloudflare R2) encrypt data at rest using AES-256.

✓

Password hashing: Passwords are hashed with bcrypt (12 rounds). We never log or store plaintext passwords.

✓

API key security: API keys are hashed with bcrypt and never stored in plain text. The plain-text key is shown once at creation via an HttpOnly cookie and then permanently discarded.

✓

Session security: Sessions use HttpOnly, SameSite=Lax, Secure cookies. Session tokens are signed and validated on every request.

✓

Stripe security: Payments are processed by Stripe. We verify webhook signatures on every event. Card data never touches our servers.

✓

IDOR protection: All job, file, and billing record access is verified against the authenticated user's ID server-side. No client-controlled IDs are trusted.

✓

CSP: Content Security Policy headers are set on every response, restricting script execution to trusted sources.

Responsible disclosure

If you discover a security vulnerability, please report it to [email protected]. We respond within 24 hours and aim to remediate critical issues within 72 hours.

We do not pursue legal action against good-faith security researchers who follow responsible disclosure practices. Please give us time to fix the issue before public disclosure.

Vendor list

Vercel Hosting, CDN, serverless functions

Turso (libSQL) Database (SQLite-compatible, distributed)

Cloudflare R2 Object storage for generated outputs

Stripe Payment processing and subscription billing

Managed GPU provider AI generation infrastructure (Gemini Omni model)

Google OAuth Optional social login