Security

Security isn't a feature we bolt on -- it's the foundation of everything we build. Here's a transparent look at how we protect your account, credits, and data.

1

Infrastructure Security

Encrypted at Rest: All data stored in our databases is encrypted using AES-256 encryption. Database backups are encrypted with separate key management.
HTTPS Only: All communication between your browser and our servers is encrypted via TLS 1.3. We enforce HTTPS across all endpoints with HSTS headers and automatic HTTP-to-HTTPS redirection. No exceptions.
Network Isolation: Production infrastructure is isolated in private network segments with strict firewall rules. Only necessary ports and services are exposed.
DDoS Mitigation: Our infrastructure includes layer 3/4 and layer 7 DDoS protection to ensure service availability during volumetric attacks.
2

Authentication & Session Management

bcrypt Password Hashing: All passwords are hashed using bcrypt with a work factor calibrated to current hardware capabilities. We never store, transmit, or log plain text passwords.
JWT Token Authentication: Authenticated sessions are managed via JSON Web Tokens (JWT) with short expiration windows. Tokens are signed with strong cryptographic keys and validated on every request.
httpOnly Cookies: Session tokens are stored in httpOnly, Secure, SameSite cookies -- preventing access from client-side JavaScript and protecting against XSS and CSRF attacks.
Rate Limiting: Login attempts, password resets, and API requests are rate-limited to prevent brute force attacks and credential stuffing.
3

Credit System Security

Your credit balance is the core of your FlushIt account. We treat credit operations with the same rigor as financial transactions:

Atomic Transactions: All credit operations (purchases, deductions, refunds) are executed as atomic database transactions. Either the full operation succeeds, or it is completely rolled back. No partial states, no lost credits.
Row-Level Locking: Credit balance modifications use database-level row locks to prevent race conditions. Concurrent operations on the same account are serialized to ensure balance integrity.
Idempotency Keys: Every credit-affecting operation is tagged with a unique idempotency key. Duplicate requests (from network retries, client bugs, etc.) are detected and prevented from executing twice.
Complete Audit Trail: Every credit transaction -- purchases, campaign deductions, bounce refunds, and balance adjustments -- is logged in an immutable audit trail with timestamps, operation types, and before/after balances.
4

Payment Security

On-Chain Verification: All cryptocurrency payments are verified directly on the blockchain. We query the respective chain (Bitcoin, Ethereum, BSC, Solana) to confirm transaction finality before crediting your account. No third-party payment processors are involved.
No Payment Processor Middlemen: We do not use Stripe, PayPal, or any traditional payment processor. Your crypto goes directly to our wallet addresses. This eliminates an entire category of third-party data exposure.
Unique Payment Amounts: Each payment request generates a unique amount (with micro-variations) to enable precise transaction matching on-chain. This ensures your specific payment is identified and credited correctly, even with concurrent payments to the same wallet address.
Confirmation Requirements: Credits are issued only after the required number of block confirmations for each chain (e.g., 3 confirmations for Ethereum, 6 for Bitcoin) to prevent double-spend attacks.
5

Data Handling & Privacy

Minimal Data Collection: We collect only your email address and password hash. No names, no IDs, no phone numbers, no physical addresses. You cannot leak what you do not collect.
No Tracking: We do not use analytics scripts, tracking pixels, advertising cookies, or any client-side tracking technology. There is no Google Analytics, no Mixpanel, no Hotjar, no Facebook Pixel -- nothing.
No Third-Party Scripts: Our pages load zero third-party JavaScript. Every script running on FlushIt is our own code. No ad networks, no chat widgets, no social media embeds.
Campaign Data Purging: Recipient lists and message content are purged from our systems after campaign completion. We do not retain your contact lists or message content longer than necessary for delivery processing.
6

API Security

API Key Authentication: API access is controlled via unique API keys. Keys are generated with a recognizable prefix (e.g., fi_live_...) for easy identification and are displayed with prefix masking in the dashboard -- you only see the full key once upon creation.
Instant Revocation: API keys can be revoked instantly from your dashboard. Revoked keys are blocked at the authentication layer and cannot be reactivated.
Per-Key Rate Limiting: Each API key has independent rate limits to prevent abuse and protect platform stability.
Hashed Key Storage: API keys are stored as hashed values in our database. If our database were ever compromised, your raw API keys would not be exposed.
7

Reporting Vulnerabilities

We take security vulnerabilities seriously. If you discover a security issue, we encourage you to report it responsibly so we can address it promptly.

Email: security@flushit.com

Support Ticket: Submit a security ticket with "SECURITY" in the subject line

Responsible Disclosure: Please allow us reasonable time to investigate and address any reported vulnerability before disclosing it publicly. We are committed to acknowledging receipt within 24 hours and providing a timeline for resolution within 72 hours.

Security at a Glance

Encryption
AES-256 at rest, TLS 1.3 in transit
Authentication
bcrypt + JWT + httpOnly cookies
Credit System
Atomic txns + row locks + idempotency
Payments
On-chain verification, zero middlemen
Data Collection
Email + password hash only
Tracking
Zero analytics, zero third-party scripts
Terms of ServicePrivacy PolicyAboutHome