At mycentral.domains, security is foundational — not an afterthought. We protect your domain portfolio, credentials, and personal data with defense-in-depth practices across every layer of our infrastructure.
1. Infrastructure Security
- Hosting: The Platform runs on Vercel's globally distributed edge network with automatic DDoS mitigation, WAF, and isolation per deployment.
- Database: Data is stored in Supabase (PostgreSQL) with row-level security (RLS) policies, encrypted connections, and daily automated backups.
- CDN & Edge: Static assets are served from Vercel's CDN with HTTPS enforced across all endpoints.
2. Encryption
| Layer | Standard |
|---|---|
| In transit | TLS 1.3 enforced on all connections |
| At rest | AES-256 encryption for all stored data |
| Secrets & credentials | Encrypted with per-user keys; never stored in plaintext |
| Web3 wallet signing | SIWE (EIP-4361) — private keys never leave your wallet |
3. Authentication & Access Control
- Email/Password: Passwords are hashed using bcrypt with a salt factor of 12.
- Sign-In With Ethereum (SIWE): Cryptographic signature verification — no seed phrases or private keys are ever transmitted to our servers.
- Session Management: Secure, HTTP-only cookies with short-lived access tokens and rotating refresh tokens.
- Role-Based Access Control: Team and enterprise plans support granular permission management.
4. Application Security
- All API endpoints are protected with rate limiting, CSRF protection, and input validation.
- We follow the OWASP Top 10 security guidelines throughout our development lifecycle.
- Dependency vulnerabilities are continuously monitored with automated scanning tools.
- Code changes undergo peer review before deployment with automated security linting.
5. Vulnerability Disclosure Program
We welcome responsible security research. If you discover a vulnerability in our platform, please report it to:
Disclosure Guidelines
- Provide a detailed description of the vulnerability, including steps to reproduce.
- Give us a reasonable window (at least 90 days) to address the issue before public disclosure.
- Do not access, modify, or delete data belonging to other users during testing.
- Do not conduct denial-of-service attacks or social engineering against our team.
What We Offer
- Acknowledgement: We will credit you (with your permission) in our security advisories.
- Response Time: We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.
- Safe Harbor: We will not take legal action against researchers who act in good faith and follow these guidelines.
6. Incident Response
Our incident response process includes:
- Detection: 24/7 monitoring with automated alerting for anomalous activity.
- Containment: Immediate isolation of affected systems and credential rotation.
- Notification: Affected users notified within 72 hours of confirmed breach, in compliance with GDPR Article 33.
- Remediation: Root cause analysis, patching, and hardening measures deployed.
- Post-Mortem: Published internally with lessons learned and preventive actions.
7. Compliance & Standards
- GDPR: Full compliance — see our GDPR Compliance page.
- SOC 2 Type II: Audit in progress — we are committed to achieving certification.
- CCPA: We comply with the California Consumer Privacy Act for applicable users.
8. Data Backup & Recovery
- Automated daily backups with point-in-time recovery.
- Backups encrypted at rest and stored in geographically separate regions.
- Recovery procedures tested quarterly.
9. Contact
| Purpose | Contact |
|---|---|
| Vulnerability reports | security@mycentral.domains |
| General security questions | support@mycentral.domains |
| Report abuse | abuse@mycentral.domains |