Security Policy

TokenLens takes security seriously. This page describes our security practices and how to report vulnerabilities.

Responsible Disclosure

If you discover a security vulnerability, please report it to support@tokenlens.co.

• We acknowledge reports within 48 hours
• We provide a resolution timeline within 5 business days
• We will not pursue legal action against researchers acting in good faith
• We credit researchers (with permission) in our security advisories

Infrastructure Security

• ✓ All traffic encrypted with TLS 1.2+ (HTTPS enforced via HSTS)
• ✓ Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
• ✓ API responses include no-cache directives to prevent sensitive data leakage
• ✓ Permissions-Policy blocks unnecessary browser APIs (camera, mic, geolocation)

Authentication & Access

• ✓ Passwords hashed with bcrypt (12 rounds)
• ✓ JWT tokens with HMAC-SHA256 signing and configurable expiry
• ✓ Optional TOTP-based MFA (RFC 6238)
• ✓ Password strength validation (rejects common passwords, requires complexity)
• ✓ Login rate limiting per IP address
• ✓ API keys with secure random generation (tl_ prefix)
• ✓ Disposable email domain detection on registration

Data Protection

• ✓ Read-only analysis — we never call AI APIs on your behalf
• ✓ No API key storage — we never ask for your OpenAI/Anthropic keys
• ✓ Time-limited data retention (7 days Free, 90 days Starter, 1 year Growth)
• ✓ Encryption at rest for paid plans
• ✓ Self-hosted deployment option for Enterprise (data never leaves your network)
• ✓ User data deletion on request

Application Security

• ✓ Plan-level feature gating on every API endpoint
• ✓ Per-plan API rate limiting with sliding window
• ✓ Input validation on all file uploads and form inputs
• ✓ Stripe webhook signature verification (HMAC-SHA256)
• ✓ No sensitive data in URL parameters
• ✓ OpenAPI/Swagger docs disabled in production

Compliance Roadmap

• SOC 2 Type II — planned
• GDPR DPA — available for Growth and Enterprise plans
• HIPAA BAA — available for Enterprise plans

Last updated: February 2026 · support@tokenlens.co