Security at AIToolNow
Your data security is our top priority. We implement multiple layers of protection — from encryption and authentication to infrastructure hardening — so you can focus on building with AI.
Built on Three Pillars
Every layer of AIToolNow is designed with security in mind.
Authentication & Access
Multi-factor authentication with TOTP, email OTP, and backup codes. OAuth 2.0 with Google and GitHub. Database-backed session management with device detection.
Data Protection
AES-256-GCM encryption with PBKDF2 key derivation. Passwords hashed with bcrypt (12 rounds). All auth cookies are httpOnly with strict SameSite policies.
Infrastructure Security
PostgreSQL with parameterized queries via Prisma ORM. Redis-backed sliding window rate limiting. Comprehensive security headers via Helmet.js including CSP and HSTS.
Authentication & Access Control
We enforce strong authentication at every entry point with multiple verification methods and intelligent session management.
Data Encryption & Privacy
Your sensitive data is encrypted at rest and protected by strict access controls. We give you full ownership over your data.
Token Security
Refresh tokens are hashed with SHA-256 before database storage. Access tokens are bound to session IDs for revocation enforcement. Token families track reuse for rotation attack detection.
Data Export
Users can export all their data including conversations, messages, and usage logs. Large exports are processed asynchronously with email notification. 24-hour cooldown between requests.
Account Deletion
Soft-delete with a 30-day grace period for recovery. All sessions are revoked immediately, subscriptions are cancelled, and password data is cleared. Permanent deletion follows automatically.
Cookie Security
Access and refresh tokens stored in httpOnly cookies inaccessible to JavaScript. Refresh token cookie restricted to auth endpoints only. Secure flag and strict SameSite policy in production.
CSRF Protection
Double submit cookie pattern with 256-bit tokens generated via crypto.randomBytes. Header verification uses timing-safe comparison to prevent timing attacks.
API & Network Security
Every API request passes through multiple layers of validation and protection before reaching your data.
Rate Limiting
Sliding window algorithm backed by Redis. Login limited to 5 attempts per 15 minutes. Registration limited to 3 per hour. API rate limits enforced per subscription plan (10–120 requests/minute).
Security Headers
Helmet.js configures Content-Security-Policy, HSTS (1-year with preload), X-Frame-Options DENY, X-Content-Type-Options nosniff, and strict Referrer-Policy. X-Powered-By header is removed.
CORS Policy
Whitelist-based origin validation with credentials support. Only approved frontend and admin origins are allowed. 24-hour preflight cache with explicit header controls.
Input Validation
All API endpoints validated with Zod schemas in strict mode — no additional fields accepted. Parameterized queries via Prisma ORM prevent SQL injection.
Monitoring & Incident Response
Comprehensive logging and monitoring ensures we can detect, investigate, and respond to security events quickly.
Responsible Disclosure
If you discover a security vulnerability, we encourage responsible disclosure. Please contact our security team and we will work with you to address the issue promptly.
Report a VulnerabilityQuestions About Security?
Our team is happy to discuss our security practices in detail. Reach out to learn more about how we protect your data.