Security
Last updated: April 2026
In transit and at rest
Every connection to LyncView uses HTTPS / TLS. HSTS is preloaded so your browser refuses to talk to us over plain HTTP. Account data and project data are stored in encrypted databases on Turso (libSQL), which encrypts data at rest and in transit between Turso's edges.
Authentication
Passwords are hashed with bcrypt before storage — even we cannot read your password. Sessions are signed JWTs delivered via httpOnly, secure, sameSite=lax cookies. Login, register, and password-reset endpoints are rate limited per IP. Two-factor authentication is on our roadmap.
Authorization
Every API route checks the requesting session and verifies the user owns the resource being read or written. Project access is enforced at the database query level (parameterized in every place — no string-interpolated SQL anywhere in the codebase).
Infrastructure
- Hosted on Vercel (US). Built and deployed from a private GitHub repository
- Database: Turso (libSQL)
- AI processing: Anthropic. Email content is not used to train models
- Subscription billing: Stripe. We never see card numbers
- Optional Gmail integration: read-only OAuth scope, only when you connect
Headers and browser hardening
Every response sets HSTS, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy denying camera/microphone/geolocation, and Cross-Origin-Opener-Policy: same-origin.
Backups
Turso provides point-in-time database backups. Account deletion removes data within 30 days, except where retention is required by law.
Reporting a vulnerability
If you believe you have found a security issue, please email support@lyncview.com with details. We acknowledge reports within 1 business day and treat them as P0. Please do not publicly disclose the issue until we have had a chance to fix it.