Skip to main content

Security

Last updated: April 30, 2026 · View system status

HTTPS everywhere

TLS for all traffic. HSTS preloaded.

Encrypted at rest

Database & file storage encrypted at rest.

Bcrypt passwords

We can't read your password. Period.

Rate-limited

Brute-force protection on every auth endpoint.

Parameterized SQL

Zero string-interpolated queries in the codebase.

Read-only Gmail

AI never sends, never deletes, never modifies.

In transit and at rest

Every connection to LyncView uses HTTPS / TLS. HSTS is preloaded so your browser refuses to talk to us over plain HTTP. Account data and project data are stored in encrypted databases on Turso (libSQL), which encrypts data at rest and in transit between Turso's edges.

Authentication

Passwords are hashed with bcrypt before storage — even we cannot read your password. Sessions are signed JWTs delivered via httpOnly, secure, sameSite=lax cookies. Login, register, and password-reset endpoints are rate limited per IP. Login is timing-safe (no email enumeration via response time) and accounts are locked for 15 minutes after 5 failed attempts. Resetting your password invalidates every existing session on every device. Two-factor authentication is on our roadmap.

Authorization

Every API route checks the requesting session and verifies the user owns the resource being read or written. Project access is enforced at the database query level (parameterized in every place — no string-interpolated SQL anywhere in the codebase).

Infrastructure

  • Hosted on Vercel (US). Built and deployed from a private GitHub repository
  • Database: Turso (libSQL)
  • AI processing: Anthropic. Email content is not used to train models
  • Subscription billing: Stripe. We never see card numbers
  • Optional Gmail integration: read-only OAuth scope, only when you connect

Headers and browser hardening

Every response sets a strict Content-Security-Policy, HSTS (preloaded), X-Content-Type-Options: nosniff, X-Frame-Options: DENY (no embedding allowed), Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy denying camera/microphone/geolocation, Cross-Origin-Opener-Policy: same-origin, and Cross-Origin-Resource-Policy: same-origin.

Data ownership and export

Your data is yours. We don't train AI on it, don't sell it, don't share it with third parties for marketing. CSV export of projects and tasks is available from the dashboard at any time. Full data export including files is available on request. If you cancel, your data stays accessible for 30 days for export before it's deleted.

Backups and recovery

Turso provides point-in-time database backups. Account deletion removes data within 30 days, except where retention is required by law.

Compliance

LyncView is not currently SOC 2 / ISO 27001 certified — we're a small independent business and a formal audit isn't economical at our current scale. The underlying infrastructure (Vercel, Turso, Stripe, Anthropic) is each independently certified. If your procurement process requires a security questionnaire (SIG, CAIQ, custom), email support@lyncview.com — we'll fill it out.

Reporting a vulnerability

If you believe you have found a security issue, please email support@lyncview.com with details. We acknowledge reports within 1 business day and treat them as P0. Please do not publicly disclose the issue until we have had a chance to fix it.

Ready to give it a try?

Spin up an account in two minutes. No credit card. Cancel anytime.

Start free trialSee pricing