Security

How we protect your data.

Security is foundational, not bolted on. Here’s how we approach it — and how to tell us if you find something we missed.

Encryption

All traffic is TLS-encrypted in transit. Data at rest is encrypted by our database provider (AES-256). API keys are stored as SHA-256 hashes — we never see your plaintext key after creation.

Authentication

Passwords are hashed via bcrypt. Magic-link and OAuth (Google) supported. Session cookies are HttpOnly, Secure, and SameSite=Lax. No long-lived tokens in the browser.

Access control

Postgres Row-Level Security (RLS) on every table. Service-role access is reserved for trusted server-side jobs. Audit logs record every privileged action.

Privacy

We hash IP addresses on public scans. We don’t store credit cards (Stripe holds them). We never sell or share customer data with third parties for marketing.

Audit trail

Sign-ins, plan changes, key rotations, and data exports are written to an append-only audit log. Available to you on request.

Dependencies

Production dependencies are pinned. Vulnerability advisories trigger a review within 24 hours. No bundled telemetry from third parties on the dashboard.

Reporting

Responsible disclosure.

If you’ve found a vulnerability — anything from a low-impact info leak to a serious flaw — please tell us before disclosing publicly. We’ll work with you to fix it quickly.

hello@aeoptimiser.io

Use “Security disclosure” in the subject. We acknowledge within 48 hours.

security.txt

/.well-known/security.txt

RFC 9116 disclosure file with current contacts and policy URL.

In scope

• aiseolab.ai and its subdomains
• Our public REST API
• Our official WordPress plugin
• Authentication and session handling

Out of scope

• Third-party services we don’t operate
• Theoretical issues without a working PoC
• Volumetric DDoS / brute-force without compromise
• Self-XSS / social engineering

Our commitment

Acknowledge receipt within 48 hours.
Triage + first response within 5 working days.
Patch confirmed criticals within 30 days. Lower-severity issues handled in priority order.
Credit reporters publicly (if you want), once the issue is resolved.

Responsible disclosure.

If you’ve found a vulnerability — anything from a low-impact info leak to a serious flaw — please tell us before disclosing publicly. We’ll work with you to fix it quickly.

In scope

• aiseolab.ai and its subdomains
• Our public REST API
• Our official WordPress plugin
• Authentication and session handling

Out of scope

• Third-party services we don’t operate
• Theoretical issues without a working PoC
• Volumetric DDoS / brute-force without compromise
• Self-XSS / social engineering

Our commitment

Acknowledge receipt within 48 hours.
Triage + first response within 5 working days.
Patch confirmed criticals within 30 days. Lower-severity issues handled in priority order.
Credit reporters publicly (if you want), once the issue is resolved.