Security & Responsible Disclosure Policy
Last updated: July 14, 2026
Security is core to a product that hosts people's public identities. This page summarizes how we protect data and how researchers can report issues responsibly.
How we protect your data
- Encryption in transit and at rest via TLS and our infrastructure providers (Firebase, Cloudflare R2).
- Hashed credentials — passwords are never stored or transmitted in plaintext.
- Least-privilege access to production data, with role-based controls and audit logging.
- Server-side enforcement of plan limits and permissions, so client-side changes can't bypass them (see our firestore rules posture and Acceptable Use Policy).
- Monitoring for abuse, anomalous logins, and outages.
Report a vulnerability
If you find a security issue, email security@tolinks.in with a clear description and steps to reproduce. We ask that you:
- Give us a reasonable time to fix it before any public disclosure.
- Don't access, modify, or delete data that isn't yours.
- Don't run denial-of-service or automated scanning that could harm the service.
Safe harbor
We won't pursue legal action against researchers who follow this policy in good faith. Once the issue is fixed, we're happy to acknowledge you (with your permission) in our security credits.
Contact
Security reports: security@tolinks.in
