1. Our Commitment
Security is foundational to GhostRate. Our core product — anonymous feedback — is worthless without a trustworthy security posture.
2. Technical Measures
- Encryption at rest: AES-256
- Encryption in transit: TLS 1.3
- Password security: bcrypt with cost factor 12
- Authentication: JWT with short-lived access tokens (15 min) and rotation-based refresh tokens (30 days)
- SQL injection prevention: Parameterized queries throughout
- CSRF protection: On all state-changing endpoints
- Rate limiting: On authentication endpoints
3. Organizational Measures
- Production access restricted with MFA
- Immutable audit log for all admin actions
- Principle of least privilege
- Regular dependency audits
4. The Identity Firewall
- Identity schema and public schema have no foreign key or join path
- Tokens deleted before response insert completes
- Even with full database access, responses cannot be traced to respondents
5. Vulnerability Disclosure
Email: [email protected]. We acknowledge within 48 hours and resolve critical issues within 14 days.
6. Compliance
- GDPR compliant
- SOC 2 Type II planned for Q4 2026
7. Bug Bounty
Contact [email protected] to participate in our informal bug bounty program.