Authentication
- Bcrypt password hashing with per-user salt.
- Optional TOTP two-factor authentication with AES-GCM–encrypted secrets and hashed recovery codes.
- Sliding-window rate limiting on sign-in, sign-up, password reset, and verification.
- Session token rotation on sensitive events and single-session revocation from Settings.
Transport & storage
- TLS everywhere.
- httpOnly, Secure, SameSite=Lax session cookies.
- Same-origin CSRF assertion on every mutating server function.
Data privacy
- Server logs redact tokens, authorisation headers, and email bodies.
- Row-level security policies gate all user-owned tables.
AI providers
Validation runs use OpenRouter to route prompts to leading LLM providers. Data submitted to model providers is governed by their respective policies; we don't fine-tune on your inputs.
Report a vulnerability
Please email security@startupdeck.in with details and steps to reproduce. Responsible disclosure appreciated.