Security.

The defences we run, the encryption we use, and how we respond when something goes wrong.

Encryption

At rest. Object storage native AES-256. V2 adds per-user envelope encryption with KMS-held master keys.
In transit. TLS 1.3 only. HSTS preload. No fallback to TLS 1.2.
Application secrets. AWS Secrets Manager in production. Never committed to source.

Authentication

Argon2id password hashing — 64 MiB memory cost, t=3, p=1.
HIBP-style breach-list check at signup and password change.
Per-IP and per-account rate limiting on auth endpoints.
Lockout after 10 failed attempts in 10 min, sliding window.

Sharing

Share tokens are 32-character random IDs. Optional argon2id-hashed password gate. Optional max-access counter. Optional expiry (24h, 7d, custom). Owner can revoke from the dashboard — soft-delete is instant.

Reporting a vulnerability

Email security@zyqual.com. We respond within 24 hours. Bug bounty payouts launch with V2.

Do not file public GitHub issues for security bugs. We use private security advisories.