Security
Security is foundational, not optional. Built with industry best practices from day one.
๐ Encryption
- In Transit: TLS 1.3 for all connections (HTTPS only)
- At Rest: AES-256 database encryption
- Passwords: bcrypt with 12 rounds (never plaintext)
- Access Tokens: Encrypted before storage
๐ก๏ธ Infrastructure
- Hosted on AWS-backed Render (SOC 2 Type II)
- Neon PostgreSQL (encrypted, automated backups)
- Cloudflare DDoS protection & WAF
- Multi-region failover capability
๐ Authentication
- Bcrypt password hashing
- Session-based authentication with secure cookies
- OAuth 2.0 for Google, GitHub
- Token expiry & automatic refresh
- Rate limiting on login attempts
๐ Monitoring
- 24/7 uptime monitoring
- Real-time error tracking
- Anomaly detection on API usage
- Audit logs for admin actions
๐จ Incident Response
- Documented response playbook
- Breach notification within 72 hours
- Post-incident reports for transparency
- Continuous improvement after each incident
๐จโ๐ป Code Security
- Input sanitization on all endpoints
- SQL injection protection (Prisma ORM)
- XSS protection (Helmet middleware)
- CSRF tokens on state-changing requests
- Dependency vulnerability scanning
๐ API Security
- API keys hashed in database
- Rate limiting per key/IP
- Webhook signature verification
- Scope-limited permissions
๐ Data Privacy
- Minimal data collection
- Data isolation between tenants
- Right to deletion honored within 30 days
- No selling of user data, ever
๐ Vulnerability Disclosure
Found a security issue? Email security@viraldm.app with:
- Description of vulnerability
- Steps to reproduce
- Proof of concept (if safe)
- Your contact info
We commit to:
- Acknowledge within 48 hours
- Provide status updates every 7 days
- Public credit if you wish (after fix)
- Bug bounty for critical findings
๐ Compliance
- Indian DPDPA 2023 compliant
- GDPR ready (EU users)
- CCPA compliant (California users)
- Meta Platform Policy compliant
- YouTube API Terms compliant
Contact
Security questions: security@viraldm.app