Account Security

We implement industry-standard security practices to protect your account, your content, and your data — and give you full control.

Last updated: February 2026

Platform Security

  • Encryption in transit: All connections use TLS 1.3. No unencrypted HTTP.
  • Encryption at rest: Databases and file storage are encrypted using AES-256.
  • Password hashing: Passwords are hashed using bcrypt with per-user salts. We never store plaintext passwords.
  • Session management: JWT-based sessions with automatic expiration and refresh.
  • Rate limiting: API endpoints are rate-limited to prevent brute force attacks.
  • CSRF protection: All state-changing operations require valid CSRF tokens.
  • Content Security Policy: Strict CSP headers prevent XSS and injection attacks.

Account Protection Features

  • Email verification: Required for all new accounts before full platform access.
  • Login alerts: Notifications when your account is accessed from a new device or location.
  • Session management: View and revoke active sessions from your Settings.
  • Password requirements: Minimum 8 characters with complexity recommendations.
  • Account recovery: Secure password reset via verified email with time-limited tokens.

Best Practices for Users

  • Use a unique, strong password that you don't use on other sites.
  • Keep your email address up to date for account recovery.
  • Review active sessions periodically and revoke any you don't recognize.
  • Be cautious of phishing attempts — Vynzoa will never ask for your password via email or messages.
  • Log out of shared or public devices after use.
  • Report suspicious activity immediately via Settings → Security.

Suspicious Activity Detection

Vynzoa automatically monitors for and responds to suspicious activity:

  • Unusual login locations: Access from new countries triggers verification.
  • Rapid failed attempts: Multiple incorrect passwords temporarily lock the account.
  • Impossible travel: Logins from geographically impossible locations are flagged.
  • Automated behavior: Bot-like activity triggers CAPTCHA or rate limiting.

Incident Response

In the event of a security incident affecting user data:

  • We will investigate and contain the incident within 24 hours of detection.
  • Affected users will be notified within 72 hours with details and recommended actions.
  • Relevant authorities will be notified as required by law.
  • A public post-incident report will be published within 30 days.
  • Affected passwords are automatically invalidated, requiring secure reset.

Vulnerability Disclosure

Security researchers who discover vulnerabilities in Vynzoa are encouraged to report them responsibly:

  • Email: security@vynzoa.com
  • Include a detailed description, steps to reproduce, and potential impact.
  • We will acknowledge receipt within 48 hours and provide regular updates on remediation.
  • We will not pursue legal action against researchers who follow responsible disclosure practices.
Think your account is compromised? Immediately change your password at Settings → Security, revoke all active sessions, and contact security@vynzoa.com.