Back to map

Trust & Security

Security and privacy are designed into PassPrediction from the ground up. This page summarises how we protect your account and your data.

Encryption in transit

All traffic is served exclusively over HTTPS/TLS. We enforce HTTP Strict Transport Security (HSTS) so browsers only ever connect over an encrypted channel.

Authentication & sessions

Login tokens are stored in httpOnly, Secure, SameSite=Strict cookies and are never exposed to client-side JavaScript or browser storage. Access tokens are short-lived (15 minutes) with automatic rotation, limiting the impact of any single leaked token.

Authorisation & data isolation

Every access-control decision is enforced on the server. Your areas of interest, searches and preferences are scoped to your account — other users cannot read or address your data, even by guessing identifiers.

Application hardening

We apply a Content-Security-Policy and a baseline of security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) across the application to reduce the risk of injection and clickjacking.

Secrets & source protection

No credentials or signing keys are shipped to the browser or committed to source control. Sensitive operations and signing keys remain server-side only.

Your data & privacy rights

We collect the minimum data needed to operate the service, and analytics are anonymised (IP addresses are truncated). You can export or permanently delete your account data at any time from Settings → Privacy & Data. See our Privacy Policy for details.

Responsible disclosure

If you discover a security issue, please report it to [security email]. We welcome responsible disclosure and will work with you to resolve verified issues promptly.

Certifications

We are not currently certified under ISO 27001 or SOC 2. For enterprise engagements with specific compliance requirements, please contact us to discuss your needs.