Security

Security is central to TinTorch Account, which serves as the identity layer for the entire suite. We apply layered technical and organizational measures to protect your account and data. This page summarizes our key practices.

• Data in transit is protected with TLS across all connections to the Services.
• Data at rest is encrypted on our managed infrastructure.
• Secrets such as API keys and webhook signing keys are stored securely and shown only when created.

• Passwords are never stored in plain text — they are hashed with bcrypt.
• Two-factor authentication (2FA) is available to add a second layer of protection.
• Recovery codes are provided so you can regain access if you lose your 2FA device.
• Single sign-on issues short-lived tokens so individual products never handle your password.

• You can view all active sessions, including device and location details.
• Sessions can be revoked individually or all at once.
• A login history lets you review recent sign-in activity and spot anything unusual.
• Suspicious activity may trigger additional verification.

The Services run on reputable managed providers, including Supabase for database and authentication infrastructure and Vercel for hosting. We rely on their platform-level security controls in addition to our own, and limit access to production systems on a least-privilege basis.

If you believe you have found a security vulnerability, please report it to security@tintorch.com. We appreciate responsible disclosure and will work with you to investigate and resolve valid reports.