Security & Privacy

Data Encryption

All data in transit and at rest is encrypted using industry-standard protocols:

• AES-256-GCM for stored data encryption
• TLS 1.3 for data in transit
• End-to-end encryption for sensitive communications

Authentication & Sessions

We implement multiple layers of security:

• JWT-based stateless authentication
• Two-Factor Authentication (2FA) support
• Token versioning and rotation
• Automatic session expiration
• Secure password hashing with bcrypt

Email Security

Authentication emails include:

• HTTPS deeplinks that work across all platforms
• Time-limited verification tokens (15 min - 24 hours)
• URL encoding to prevent token manipulation
• App Links (Android) and Universal Links (iOS) support

Infrastructure Security

Our infrastructure is protected by:

• AWS for compute and storage with VPC isolation
• Cloudflare R2 for object storage with DDoS protection
• Rate limiting to prevent abuse and brute force attacks
• CORS policy enforcement for cross-origin requests
• CSP headers to mitigate XSS attacks
• HSTS to enforce secure connections

Data Retention & Deletion

We retain data only as long as your account is active. Upon account deletion:

• All personal data is permanently erased
• Associated content is removed from our systems
• Backups are retained only as required by law

Request data deletion at support@togetherlink.site

Third-Party Services

We use trusted providers that comply with global privacy standards:

• AWS - GDPR, CCPA, SOC 2 certified
• Cloudflare - DDoS protection and CDN
• Google Auth - OAuth 2.0 for secure sign-in
• Resend - Email delivery service

Compliance

We comply with:

• GDPR (General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)
• Industry best practices for data protection

Report Security Issues

Found a vulnerability? Please responsibly disclose it to security@togetherlink.site

Include details of the issue and we'll respond within 48 hours.