// security

Security & responsible disclosure

How we protect your data, what we store, and how to report a vulnerability. Last reviewed: 2026-06-26.

Minimal data

Accounts store only your email address. We don't sell data or run third-party trackers by default. You can export or delete your account data from your dashboard.

Zero-knowledge vault

Quantum Vault encrypts in your session only. Your passphrase and plaintext are never stored, transmitted in the clear, or logged. A lost passphrase is unrecoverable by design.

Encryption

TLS in transit with HSTS. At rest and in the vault we use AES-256-GCM (authenticated) with an Argon2id key. AES-256 keeps ~128-bit strength even against a quantum adversary.

Hardened by default

Strict Content-Security-Policy, secure session cookies (HttpOnly, SameSite, Secure), CSRF protection, login lockout, honeypot/abuse blocking, and SSRF guards on outbound fetches.

Responsible disclosure policy

We welcome reports from security researchers and will not pursue legal action for good-faith research that respects this policy.

Scope

The neoshieldsecurity.com web application and its public APIs.

Please do

Report issues privately and give us reasonable time to fix them (we aim for 90 days).
Test only against your own accounts/data; avoid privacy violations and service disruption.
Provide clear steps to reproduce.

Please don't

Run automated scanners that degrade service, perform DoS, social-engineering, or physical attacks.
Access, modify, or exfiltrate data that isn't yours.

How to report

Email security@neoshieldsecurity.com or use the contact form. Machine-readable details are published at /.well-known/security.txt.

Compliance posture

GDPR-friendly: data minimisation (email only), self-serve export and deletion, and named processors (Stripe for payments, Anthropic for AI, Hostinger for hosting).
Annual review: we run an external vulnerability scan and code review once a year and update the "last reviewed" date above.
No heavyweight certifications (SOC 2 / ISO 27001) at this stage — we focus on transparent, verifiable controls appropriate to our size. Enterprise customers with specific requirements can contact us.