Avatar Match Security
How we protect your data and account
Data Protection
Encryption in Transit
All data is transmitted using TLS 1.3. HTTP requests are automatically redirected to HTTPS.
Encryption at Rest
Passwords stored as bcrypt hashes. Sensitive data (messages, psychometrics) encrypted with AES-256.
Key Management
Cryptographic keys managed via Google Cloud KMS with rotation every 90 days.
Backups
Daily encrypted backups stored across multiple geographic regions.
Account Security
Magic Link Login
Passwordless authentication via one-time links — reduces credential compromise risk.
Email Verification
Every account is verified via email. Suspicious logins require re-verification.
Auto Sign-Out
Sessions automatically expire after 30 days of inactivity. View active sessions in settings.
Brute Force Protection
Rate limiting on all API endpoints. Temporary lockout after multiple failed login attempts.
Infrastructure
GDPR Compliance
- Full GDPR compliance (EU Regulation 2016/679)
- Appointed Data Protection Officer (DPO)
- Records of Processing Activities (ROPA)
- Data Protection Impact Assessments (DPIA) for high-risk operations
- Standard Contractual Clauses (SCC) for international data transfers
- Breach notification within 72 hours (Art. 33 GDPR)
Responsible Vulnerability Disclosure
If you discover a security vulnerability, we welcome responsible disclosure:
Email: security@avatarmatch.app
Please include:
- Vulnerability description and potential impact
- Steps to reproduce
- Your contact information (optional)
We respond within 5 business days and fix critical vulnerabilities within 30 days.
Please: Do not publicly disclose the vulnerability before it is fixed.
Account Security Tips
- Use a unique email not shared with other platforms
- Never forward magic links to third parties
- Regularly review active sessions in settings
- Report suspicious activity immediately: security@avatarmatch.app