Security

We take security seriously and continuously improve our safeguards.

App & Infrastructure

• HTTPS by default; HSTS enabled in production.
• Hosting on Vercel; database on MongoDB Atlas.
• Environment-scoped secrets and least-privilege access.

Authentication

• Passwords hashed with bcrypt (never stored in plain text).
• OAuth via Google/GitHub available.
• Session and CSRF protection provided by NextAuth.

Data Protection

• Rate limiting and abuse detection to protect accounts and APIs.
• Input validation and basic content filters (e.g., profanity for usernames).
• Regular dependency updates and vulnerability patching.

Backups & Retention

• Managed backups via our database provider.
• Deletion flows aim to remove or anonymize data within ~30 days.

Incident Response

• We investigate and remediate issues promptly.
• We will notify affected users when legally required.

Responsible Disclosure

If you believe you’ve found a security issue, please email [[security email]] with details. We ask that you:

• Avoid accessing or modifying data that isn’t yours.
• Avoid disrupting the service (no DDoS, spam, or automated abuse).
• Give us reasonable time to investigate and fix the issue.

Last updated: [[MONTH DAY, YEAR]]