Security
RTC Collector takes security seriously. Your account, data, and transactions are protected with industry-standard security measures.
Account Security
Password Protection
Strong Passwords: We require:
- Minimum 8 characters
- Mix of uppercase and lowercase
- At least one number
- Special characters recommended
Password Hashing: Passwords are hashed using bcrypt with 12 salt rounds. We never store plain-text passwords.
Password Reset: Secure token-based reset via email with time-limited links.
Two-Factor Authentication (2FA)
Add an extra security layer with TOTP-based 2FA:
How It Works:
- Enter email and password
- Enter 6-digit code from authenticator app
- Access granted only with both
Supported Apps:
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
- Any TOTP-compatible app
Backup Codes: 10 one-time codes for emergency access if you lose your authenticator.
Setup: Go to Settings → Account Security → Enable 2FA
See Settings & Privacy for setup instructions.
Google OAuth
Sign in with your Google account for quick, secure access:
- Click Sign in with Google on the login page
- Authenticate with your Google account
- Your RTC Collector account is linked automatically
Google OAuth is available alongside email/password login. You can link or unlink your Google account in Settings → Account Security.
Biometric Authentication
Use fingerprint, face recognition, or platform-specific biometrics for quick, secure logins:
Web Platform (WebAuthn/Passkeys):
- Touch ID (Mac)
- Face ID (Mac)
- Windows Hello (Windows)
- Cross-browser compatible (Chrome, Firefox, Safari, Edge)
- Uses the WebAuthn standard — biometric data never leaves your device
- Setup: Settings → Account Security → Biometric Authentication
Native Android App:
- Fingerprint sensor
- Face unlock
- Credentials stored securely in your device's keychain/keystore
- Setup: Settings → Security → Enable Biometric Login
- Branded "RTC Collector" authentication prompts
- Manage and remove registered biometric devices from settings
Session Management
Active Sessions: View all devices where you're logged in Terminate Sessions: Log out remote devices instantly Session Timeout: Auto-logout after 7 days of inactivity Secure Cookies: HTTP-only, Secure flag, SameSite=Strict
Manage: Settings → Account Security → Sessions
Login Alerts
Get notified of logins from:
- New devices
- New locations
- New browsers
Emails sent immediately so you can take action if unauthorized.
Data Security
Encryption
In Transit: All data encrypted with TLS 1.3 At Rest: Sensitive data encrypted with AES-256-GCM:
- 2FA secrets
- Backup codes
- Message content
Encryption Keys: Securely managed, rotated regularly
Database Security
- MySQL with prepared statements (no SQL injection)
- Principle of least privilege for database access
- Regular security audits
- Automated backups with encryption
File Upload Security
Image Uploads:
- MIME type validation
- File size limits (2MB)
- EXIF data stripped automatically
- Malware scanning
- Secure storage with access controls
Payment Security
PCI DSS Compliance
- All payments through Stripe (PCI DSS Level 1)
- We never store card numbers
- Tokenization for recurring payments
- 3D Secure supported
Stripe Integration
- Client-side tokenization
- Server-side validation
- Webhook signature verification
- Idempotency for duplicate prevention
Fraud Protection
- Stripe Radar for fraud detection
- Transaction monitoring
- Suspicious activity alerts
- Chargeback protection
Application Security
Input Validation
Client-Side: Zod schemas validate all input Server-Side: Double validation, never trust client Sanitization: DOMPurify prevents XSS attacks
CSRF Protection
- Double-submit cookie pattern
- Unique tokens per request
- SameSite cookies
- Referer validation
Bot Protection
RTC Collector uses Cloudflare Turnstile to protect against automated attacks on registration, login, and password reset forms. Turnstile runs invisibly in the background without requiring you to solve CAPTCHAs in most cases.
Rate Limiting
Protection against abuse:
- Auth endpoints: 5 attempts per 15 minutes
- API requests: 100 per minute
- File uploads: 10 per hour
- Messages: 50 per hour per conversation
CORS Policy
- Environment-specific origins only
- Credentials required
- No wildcard origins in production
Security Headers
Helmet.js provides:
- Content Security Policy (CSP)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Strict-Transport-Security (HSTS)
- X-XSS-Protection
Privacy & Data Protection
UK GDPR Compliance
Full compliance with UK data protection laws:
- Lawful basis for all processing
- Data minimization
- Right to access, rectify, erase
- Data portability
- Breach notification
See GDPR Compliance for details.
Data Access Controls
Role-Based Access: Users can only access their own data Admin Oversight: Admin actions logged and audited Encryption: Sensitive data encrypted at rest
Third-Party Services
We share data only with trusted partners:
- Stripe: Payment processing
- Cloudflare: CDN and DDoS protection
- Sentry: Error monitoring
All partners are GDPR-compliant.
Vulnerability Management
Security Audits
- Regular code reviews
- Dependency vulnerability scanning
- Penetration testing (annual)
- Third-party security assessments
Dependency Management
- Automated dependency updates
- Vulnerability scanning with Dependabot
- Quick patching of critical issues
Bug Bounty
Responsible disclosure program:
- Email: [email protected]
- We respond within 48 hours
- Coordinated disclosure
- Recognition for valid reports
Incident Response
Data Breach Procedures
If a breach occurs:
- Contain and mitigate immediately
- Assess impact and affected users
- Notify ICO within 72 hours
- Notify affected users without delay
- Document and learn from incident
User Notification
You'll be notified if:
- Your data was accessed unauthorized
- There's risk to your rights
- Action is required on your part
We provide:
- What happened
- What data was affected
- What we're doing
- What you should do
Best Practices for Users
Protect Your Account
Do:
- Use a strong, unique password
- Enable 2FA immediately
- Keep backup codes safe
- Monitor login alerts
- Review active sessions regularly
- Log out on shared devices
Don't:
- Share your password
- Use the same password elsewhere
- Ignore login alerts
- Leave devices unattended while logged in
Recognize Phishing
We'll never:
- Ask for your password via email
- Request 2FA codes via email or phone
- Ask for payment outside the platform
- Threaten immediate account closure
Suspicious emails? Forward to [email protected]
Secure Marketplace Transactions
- Only transact through RTC Collector
- Never share payment info in messages
- Verify buyer/seller before high-value sales
- Report suspicious offers
Reporting Security Issues
Found a vulnerability?
Email: [email protected]
Include:
- Detailed description
- Steps to reproduce
- Potential impact
- Your contact information (optional)
We'll:
- Acknowledge within 48 hours
- Investigate and validate
- Fix critical issues immediately
- Credit you in our security acknowledgments (if desired)
Please Don't:
- Publicly disclose before we've fixed it
- Access more data than necessary to demonstrate
- Harm other users or services
Security Certifications
- PCI DSS: Via Stripe for payment processing
- GDPR Compliant: UK data protection compliance
- SOC 2 (planned): Service organization controls audit
Audit Logs
Admin actions are logged:
- Who performed the action
- What action was taken
- When it occurred
- IP address
- Old and new values (for changes)
Logs retained for 1 year for security investigations.
Questions?
For security questions:
- Email: [email protected] (security issues)
- Email: [email protected] (privacy questions)
- See our Privacy Policy
- See our GDPR Compliance page