Enterprise-Grade Security

Your family recipes are protected by the same security standards used by Fortune 500 companies and financial institutions.

OWASP Top 10 CompliantGDPR-ReadyHIPAA-AwareSOC 2 Type II (In Progress)

7 Layers of Defense-in-Depth Security

Multiple overlapping security controls ensure your recipes remain safe even if one layer is compromised.

Layer 1: Network Security

DDoS protection, rate limiting, and HTTPS enforcement

100 requests per 15 minutes per IP
HSTS headers with 1-year max age
IP blacklisting for repeated violations
Exponential backoff for abusers

Layer 2: Authentication & Authorization

Military-grade password security and session management

bcrypt password hashing (12 salt rounds)
HttpOnly cookies with SameSite=Strict
OAuth 2.0 with PKCE for Google/Facebook
JWT tokens with 30-day secure expiry

Layer 3: Input Validation

Comprehensive validation and sanitization of all user input

Zod schema validation on all inputs
DOMPurify HTML sanitization (XSS prevention)
Magic byte file verification (not just extensions)
SQL injection prevention via Prisma ORM

Layer 4: API Security

Role-based access control and secure API endpoints

JWT authentication on all protected routes
Role-based authorization (FREE, PREMIUM, ADMIN)
Resource ownership validation
Security headers via helmet.js

Layer 5: Content Security Policy

Strict CSP headers preventing unauthorized scripts

default-src self (block external resources)
script-src whitelist (Stripe only)
frame-ancestors none (clickjacking prevention)
upgrade-insecure-requests (force HTTPS)

Layer 6: Database Security

AES-256 encryption at rest and in transit

Prepared statements (SQL injection prevention)
TLS 1.3 encrypted connections
Database user with minimal privileges
Regular encrypted backups

Layer 7: OCR & File Processing

Sandboxed file processing with resource limits

Virus scanning before OCR processing
25MB max file size enforcement
30-second processing timeout
Isolated worker processes

OWASP Top 10 Threat Protection

We actively defend against the most common web application security risks identified by OWASP.

Cross-Site Scripting (XSS)

DOMPurify sanitization on all user input
CSP headers blocking inline scripts
React automatic escaping

SQL Injection

Prisma ORM with prepared statements
No raw SQL queries
Input validation with Zod

Cross-Site Request Forgery (CSRF)

SameSite=Strict cookies
CSRF tokens (NextAuth built-in)
Origin header validation

Brute Force Attacks

Rate limiting (5 login attempts per 15 min)
Account lockout after failed attempts
Exponential backoff

Denial of Service (DoS)

Rate limiting per IP and user
File size and processing time limits
Request timeout enforcement

Session Hijacking

HttpOnly cookies (no JavaScript access)
Secure cookies (HTTPS only)
Short session expiry (30 days)

Your Data, Your Control

What We Protect:

Recipe photos and digitized text
Personal information (name, email)
Health data (dietary restrictions)
Payment information (PCI-DSS via Stripe)

Your Rights:

Download all your data (JSON export)
Delete your account anytime (30-day grace period)
Control recipe sharing permissions
Opt-out of analytics (privacy-first)

We NEVER sell your data.

Your recipes and personal information are yours alone. Our revenue comes from subscriptions, not data mining. We comply with GDPR, CCPA, and other privacy regulations worldwide.

24/7 Security Monitoring

We continuously monitor for threats and respond to security incidents within minutes.

Real-Time Alerts

Automated alerts for suspicious activity, failed logins, and rate limit violations

Quarterly Audits

Regular penetration testing and security audits by third-party experts

Incident Response

Documented incident response plan with 24-hour response time for critical issues

Responsible Disclosure

Found a security vulnerability? We take all reports seriously and respond within 24 hours. We follow a 90-day responsible disclosure policy.

Report Security Issue General Contact

Last Security Audit: September 30, 2025 • Next Audit: December 30, 2025