Security Policy

Security is core to TinTorch. This page summarizes our practices and how to report issues.

How we protect data

All traffic is served over HTTPS with HSTS. Downloads use signed, expiring tokens. Optional download passwords are stored as bcrypt hashes — never in plaintext. Files are deleted on a strict retention schedule. We apply CSP, secure cookies, CSRF protection and rate limiting.

Reporting a vulnerability

Please disclose security issues responsibly to abuse@tintorch.com. We aim to acknowledge reports within 72 hours.