Security

Last updated: [EFFECTIVE DATE]

Template — review before publishing. This page describes practices reflected in the codebase. Confirm each statement against your production configuration before publishing. It is not a warranty or a certification.

Security is core to what Lapseguard does. This page summarises how we protect your account and data. For how we handle personal data, see our Privacy Policy.

How we protect your data

Encryption in transit. The application and its APIs are served over HTTPS.
Password protection. Passwords are stored only as salted scrypt hashes — never in plaintext. Accounts that sign in via a third-party identity provider have no stored password.
Session security. Sessions use an opaque, randomly generated token. Only a SHA-256 hash of the token is stored, and the session cookie is set HttpOnly, Secure, and SameSite=Lax.
Single-use recovery tokens. Email-verification and password-reset tokens are hashed at rest and expire after use.
Tenant isolation. Every account belongs to an organisation, and data access is scoped by organisation so tenants cannot see each other's data.
Secret hygiene. Credentials for our providers are kept in environment variables, never committed to source control.

Reporting a vulnerability

We welcome responsible disclosure. If you believe you've found a security issue, please email [SECURITY CONTACT EMAIL] with enough detail to reproduce it. Please give us a reasonable time to investigate and fix the issue before public disclosure, and do not access or modify data that isn't yours, degrade the Service, or run automated scans that could harm it or third parties.

We will acknowledge your report, keep you updated, and credit you if you'd like once the issue is resolved. [OPTIONAL: describe scope, safe-harbour commitment, or PGP key here.]

Contact

General security questions: [SECURITY CONTACT EMAIL].