You're offline — check your connection

    We use analytics & advertising cookies (Google) to measure performance. You can opt out anytime. Cookie Policy.

    Security

    Last reviewed June 4, 2026

    Security is a continuous engineering practice for us. We apply defense-in-depth across infrastructure, application, and operations, and align our controls with widely recognized frameworks such as the OWASP ASVS, GDPR/UK GDPR, and CCPA.

    Encryption

    • In transit: TLS 1.2+ for all client–server and service-to-service traffic; HSTS enabled.
    • At rest: AES-256 for the primary database and object storage.
    • Secrets: stored in encrypted environment variables; never committed to source control.

    Authentication & session

    • Passwords hashed with bcrypt (work factor 12) and never logged.
    • Short-lived (15-minute) access tokens paired with opaque, rotated refresh tokens (30-day window). Refresh tokens and developer API keys (tp_) are stored as bcrypt hashes.
    • Mandatory email verification for sensitive changes (email update, account recovery).
    • Account-recovery and reactivation flows include rate limits and explicit reason logging.

    Authorization

    • Roles stored in a dedicated server-side table — never client-side.
    • High-impact admin actions require a typed confirmation and are recorded in an immutable audit log.

    Application security

    • Authentication tokens are stored in HttpOnly, Secure, SameSite=Lax cookies so they cannot be read by JavaScript and cannot be exfiltrated via XSS.
    • CSRF defense in depth: SameSite cookies, server-side Origin allow-list, double-submit request validation, and an XHR-only requirement on every mutating endpoint.
    • Multi-layer rate limiting: per IP, per user, and per sensitive action (login, signup, password reset, generation, payments).
    • Strict Content Security Policy with violation reporting and spike alerts.
    • Input validation via strict schema parsing (Zod) on every endpoint; rejected requests do not consume credits.
    • Webhooks verify HMAC signatures over the raw request body; idempotency keys prevent replay.

    Infrastructure

    • Managed hosting in isolated production environments separate from development.
    • Least-privilege service credentials, scoped to the resources they need.
    • Sub-processors are selected for security maturity and contractually bound to confidentiality and breach-notification obligations. See Sub-processors.

    Monitoring & logging

    • Login activity logs visible to users, with anomaly review by our team.
    • CSP violation telemetry with automated spike alerts.
    • Cost & burn-rate alerts on AI usage to detect runaway abuse early.
    • Audit log for privileged admin actions (impersonation, role changes, credit grants/revocations).

    Backups & recovery

    The primary database is hosted on a managed provider with automated point-in-time backups (typically rolling 30 days). Restore procedures are tested periodically. Backups inherit the same encryption-at-rest and access-control posture as production.

    Data deletion

    Account deletion enters a 30-day soft-delete window during which it can be reversed by signing in. After the window, personal identifiers (name, email, avatar) are anonymized in primary systems; backup copies are purged on the rolling backup cycle.

    Billing-of-record (subscription metadata, payment events, login/IP history, webhook payloads, dispute correspondence and the per-payment identity snapshot) is retained for up to 600 days after closure to defend payment-network chargebacks (Visa/Mastercard allow disputes up to 540 days post-charge), then permanently deleted. See Privacy Policy §3 and §8.

    Incident response & breach notification

    We maintain an incident response plan with named on-call responsibilities. In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, we notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware. Affected users are informed where the breach is likely to result in a high risk.

    Compliance posture

    • GDPR / UK GDPR aligned, with a Data Processing Addendum available on request.
    • CCPA / CPRA rights honored for California residents.
    • Nigeria Data Protection Act 2023 obligations applied to our African operations.
    • Payment data handled exclusively by PCI-DSS Level 1 compliant payment processors; we never see or store full card numbers.

    Reporting a vulnerability

    We welcome responsible disclosure. Email support@tinshub.com with subject "Security" and include reproduction steps. We will acknowledge within 3 business days and aim to remediate verified, high-impact issues within 90 days. Please do not test against other users' data, attempt social engineering, or perform denial-of-service testing.