Security at Thyonix

Data Protection

Encryption

• In Transit: All data is encrypted using HTTPS with TLS 1.3 protocol
• At Rest: Sensitive data (passwords, API keys, payment info) is encrypted in our database
• Password Storage: Passwords are hashed using bcrypt with industry-standard salt rounds

Data Storage

• Database: Hosted on secure, isolated database servers with regular backups
• File Uploads: Images and files stored securely via UploadThing with access controls
• Backups: Automated daily backups with 30-day retention for disaster recovery
• Data Isolation: Each customer's data is logically isolated to prevent unauthorized access

Access Control & Authentication

Authentication

• NextAuth.js: Industry-standard authentication library with session management
• Password Requirements: Minimum 8 characters with complexity requirements
• Session Security: Secure, HTTP-only cookies with automatic expiration
• OAuth Support: Google OAuth for secure, passwordless login

Access Controls

• Role-Based Access: Team members have defined roles (Admin, Member) with appropriate permissions
• API Security: All API endpoints are authenticated and rate-limited
• Account Deletion: Users can delete their account and all associated data at any time

Infrastructure Security

Hosting & Network

• Vercel Platform: Enterprise-grade hosting with automatic scaling and DDoS protection
• Global CDN: Content delivered via edge network for speed and reliability
• Automatic HTTPS: SSL/TLS certificates automatically managed and renewed
• Firewall Protection: Network-level firewall rules to block malicious traffic

Monitoring & Logging

• 24/7 Monitoring: Automated monitoring for uptime, performance, and security incidents
• Security Logs: All authentication attempts and sensitive actions are logged
• Anomaly Detection: Automated alerts for suspicious activity patterns
• Incident Response: Dedicated team ready to respond to security events

Third-Party Security

We carefully vet all third-party services and only integrate with industry-leading, security-focused providers:

• Stripe: PCI DSS Level 1 certified for payment processing (we never store credit card data)
• Google Cloud: SOC 2, ISO 27001 certified for Google Places API
• Email Providers: Enterprise-grade security from Gmail, Outlook, Resend, Zoho
• WhatsApp Business API: End-to-end encrypted messaging via Meta's official API
• UploadThing: Secure file storage with access controls and malware scanning

Compliance & Best Practices

Standards & Regulations

• GDPR Compliant: Full compliance with EU data protection regulations
• CCPA Compliant: California Consumer Privacy Act compliance
• CAN-SPAM Act: Email campaigns comply with anti-spam regulations
• OWASP Top 10: Protection against common web vulnerabilities

Development Practices

• Secure Code Review: All code changes undergo security review before deployment
• Dependency Scanning: Automated scanning for vulnerable dependencies
• Penetration Testing: Regular security audits and penetration tests
• Bug Bounty: Responsible disclosure program for security researchers

Incident Response

In the unlikely event of a security incident:

• Immediate Response: Our team is alerted immediately and begins investigation
• User Notification: Affected users are notified within 72 hours as required by GDPR
• Containment: Immediate steps taken to contain and remediate the issue
• Post-Mortem: Detailed analysis and improvements to prevent future incidents

Your Responsibilities

Security is a shared responsibility. You can help protect your account by:

• Using a strong, unique password for your Thyonix account
• Never sharing your password with others
• Logging out of shared or public devices
• Keeping your browser and operating system up to date
• Being cautious of phishing attempts
• Reporting suspicious activity immediately

Report a Security Issue

If you discover a security vulnerability in Thyonix, please report it responsibly:

Questions?

If you have questions about our security practices, please contact us at security@thyonix.io.