Honest, no-buzzword
security overview.
A plain-English walkthrough of the controls we actually have in place to protect your account and data, not a list of compliance logos we don't have yet.
10+
Security Controls
GDPR
& CCPA Aligned
bcrypt
Password Hashing
Where we stand today
An honest snapshot. We will update this page as our compliance posture evolves.
GDPR
We follow GDPR principles for EU users: lawful basis, data minimization, access and deletion rights.
CCPA / CPRA
California residents may request access, deletion, and opt-out of any sale or sharing of personal information under CCPA/CPRA.
SOC 2
Not certified yet. SOC 2 is on our compliance roadmap; we will publish updates here once an audit begins.
ISO 27001
Not certified yet. ISO 27001 is on our compliance roadmap.
HIPAA
ShubHQ is not designed for protected health information. We do not sign BAAs.
PCI DSS
We do not store card data. All payments are processed by our PCI-compliant payment provider; ShubHQ only receives non-sensitive billing metadata.
Concrete controls in the application
Every item below is implemented in the ShubHQ codebase today, not a future-tense promise.
Password Hashing (bcrypt)
Passwords are hashed with bcrypt at cost factor 12. Plain-text passwords are never stored. Minimum 8 characters with mixed case, a digit, and a special character are required.
Secure Password Reset
Reset links use single-use tokens that expire in 1 hour. Repeat reset requests are rate-limited with a 2-minute cooldown to prevent abuse.
Session Hardening
Session cookies are HttpOnly, Secure, and SameSite=Lax. Tokens are stored as SHA-256 hashes, bound to IP and user-agent, with the session ID rotated every 30 minutes.
Brute-force Protection
Failed logins are counted per account and IP. Repeated failures trigger temporary account lockout and HTTP 429 responses.
SQL Injection Protection
All database queries use PDO/mysqli prepared statements with parameter binding. No user input is concatenated into SQL.
XSS Output Escaping
All user-generated content is escaped with htmlspecialchars on output. Untrusted HTML is never rendered as-is.
Safe File Uploads
Uploads are restricted by extension whitelist (jpg, png, gif, webp, svg, csv, txt, etc.) and verified with finfo MIME detection. Size limits apply (avatar 2MB, evidence 5MB), filenames are randomized, and PHP execution is disabled in the uploads/ directory via .htaccess.
Security Headers
Responses include X-Content-Type-Options, X-Frame-Options (clickjacking protection), X-XSS-Protection, Referrer-Policy, and Permissions-Policy disabling camera, microphone, and geolocation.
Activity & Session Logging
Active sessions (IP, user-agent, last-seen), an activity log, and last-login time/IP are recorded so users can review and revoke access.
Anti-abuse Limits
Per-user hourly and daily limits apply to abuse-prone actions like messaging, audits, and discovery to keep the platform healthy for everyone.
Small team, careful defaults.
ShubHQ runs on managed cloud infrastructure with TLS for all incoming traffic. Production access is restricted to a small number of maintainers and protected by strong unique passwords and 2FA on every account that has access.
The application enforces the controls listed above on every request: prepared statements, output escaping, signed and rotated session cookies, brute-force limits, and per-user activity quotas. Security headers are set by default on every response.
We do not currently operate a 24/7 SOC or hold SOC 2 / ISO 27001 certifications. We will say so clearly here when that changes. If you find a security issue, please report it directly so we can fix it quickly.
Security Contacts
Report a vulnerability
support@shubhq.comCompliance & data requests
support@shubhq.comResponsible disclosure
We do not run a paid bug bounty program yet. We are happy to credit researchers who report issues responsibly via support@shubhq.com.
Common questions, direct answers
How are passwords stored?
Passwords are hashed with bcrypt at cost factor 12. We never store plain-text passwords and we cannot recover them. If you forget your password, use the reset flow. We require a minimum of 8 characters with mixed case, a digit, and a special character.
How does password reset work?
A reset request emails you a single-use token that expires after 1 hour. Repeat reset requests for the same account are rate-limited with a 2-minute cooldown to prevent abuse.
How are sessions secured?
Session cookies are set with HttpOnly, Secure, and SameSite=Lax flags. Server-side, the session token is stored as a SHA-256 hash and bound to the originating IP and user-agent. The session ID is rotated every 30 minutes to limit the window of any stolen session.
What happens if someone tries to brute-force a login?
Failed login attempts are counted per account and per IP. After repeated failures the account is temporarily locked and further attempts return HTTP 429.
How do you protect against SQL injection and XSS?
All database queries use prepared statements with parameter binding (PDO/mysqli), user input is never concatenated into SQL. All user-generated output is escaped with htmlspecialchars before rendering.
How are file uploads handled?
Uploads are validated against an extension whitelist (jpg, png, gif, webp, svg, csv, txt, etc.) and double-checked with finfo MIME detection. Size limits apply (2MB for avatars, 5MB for evidence files). Filenames are randomized to prevent path attacks, and the uploads/ directory blocks PHP execution via .htaccess.
Which security headers do you set?
X-Content-Type-Options: nosniff, X-Frame-Options to prevent clickjacking, X-XSS-Protection, Referrer-Policy, and Permissions-Policy that disables camera, microphone, and geolocation by default.
Can I see who has logged into my account?
Yes. From your account you can review active sessions (IP, user-agent, last-seen) and the activity log, and you can sign out individual sessions. Last-login time and IP are also recorded.
Do you have SOC 2, ISO 27001, or HIPAA certifications?
Not yet. SOC 2 and ISO 27001 are on our roadmap and we will publish updates here when audits begin. ShubHQ is not designed for protected health information, so HIPAA is not supported.
How is payment data handled?
We do not store credit card data. All payments are processed by our PCI-compliant payment provider, and ShubHQ only receives non-sensitive billing metadata (plan, status, invoice IDs).
Need more information?
If you have specific security questions before signing up, our team is happy to help.
Last updated: April 25, 2026