You're offline — check your connection

    Security

    Last reviewed April 28, 2026

    Security is a continuous engineering practice for us. We apply defense-in-depth across infrastructure, application, and operations, and align our controls with widely recognized frameworks such as the OWASP ASVS, GDPR/UK GDPR, and CCPA.

    Encryption

    • In transit: TLS 1.2+ for all client–server and service-to-service traffic; HSTS enabled.
    • At rest: AES-256 for the primary database and object storage.
    • Secrets: stored in encrypted environment variables; never committed to source control.

    Authentication & session

    • Passwords hashed with bcrypt (work factor ≥ 10) and never logged.
    • Short-lived (15-minute) access tokens paired with opaque, rotated refresh tokens (30-day window). Refresh tokens are stored as bcrypt hashes.
    • Mandatory email verification for sensitive changes (email update, account recovery).
    • Account-recovery and reactivation flows include rate limits and explicit reason logging.

    Authorization

    • Roles stored in a dedicated server-side table — never client-side.
    • High-impact admin actions require a typed confirmation and are recorded in an immutable audit log.

    Application security

    • CSRF protection enforced on all state-changing requests; SameSite cookie defaults applied.
    • Multi-layer rate limiting: per IP, per user, and per sensitive action (login, signup, password reset, generation, payments).
    • Strict Content Security Policy with violation reporting and spike alerts.
    • Input validation via strict schema parsing (Zod) on every endpoint; rejected requests do not consume credits.
    • Webhooks verify HMAC signatures over the raw request body; idempotency keys prevent replay.

    Infrastructure

    • Managed hosting in isolated production environments separate from development.
    • Least-privilege service credentials, scoped to the resources they need.
    • Sub-processors are selected for security maturity and contractually bound to confidentiality and breach-notification obligations. See Sub-processors.

    Monitoring & logging

    • Login activity logs visible to users, with anomaly review by our team.
    • CSP violation telemetry with automated spike alerts.
    • Cost & burn-rate alerts on AI usage to detect runaway abuse early.
    • Audit log for privileged admin actions (impersonation, role changes, credit grants/revocations).

    Backups & recovery

    Automated database backups are taken on a daily schedule and retained for 30 days. Restore procedures are tested periodically.

    Data deletion

    Account deletion enters a 30-day soft-delete window during which it can be reversed by signing in. After the window, personal data is permanently erased from primary systems; backup copies are purged on the rolling 30-day cycle.

    Incident response & breach notification

    We maintain an incident response plan with named on-call responsibilities. In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, we notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware. Affected users are informed where the breach is likely to result in a high risk.

    Compliance posture

    • GDPR / UK GDPR aligned, with a Data Processing Addendum available on request.
    • CCPA / CPRA rights honored for California residents.
    • Nigeria Data Protection Act 2023 obligations applied to our African operations.
    • Payment data handled exclusively by PCI-DSS Level 1 compliant payment processors; we never see or store full card numbers.

    Reporting a vulnerability

    We welcome responsible disclosure. Email support@tinshub.com with subject "Security" and include reproduction steps. We will acknowledge within 3 business days and aim to remediate verified, high-impact issues within 90 days. Please do not test against other users' data, attempt social engineering, or perform denial-of-service testing.