AM25.ir

Security & Encryption Policy

Last Updated: October 31, 2025

Encryption Standards

We implement industry-standard encryption to protect your data at every level:

  • HTTPS/TLS 1.3: All connections use TLS 1.3 encryption to protect data in transit between your device and our servers.
  • Password Hashing: All passwords are hashed using bcrypt with salt rounds of 10, making them irreversible and secure.
  • Storage Encryption: Data is stored in encrypted MongoDB databases with GridFS for file storage, ensuring data at rest is protected.
  • Data in Transit: All API communications are secured via HTTPS, preventing man-in-the-middle attacks.

Logging Policy

We maintain transparent logging practices to ensure both security and privacy:

What We Log

  • Hashed IP addresses (SHA-256) for rate limiting and abuse prevention
  • Timestamps of actions (create, retrieve, download) for analytics
  • Action types (view, click, download) for usage statistics
  • Error logs for debugging and service improvement

What We Don't Log

  • Full IP addresses (only hashed versions are stored)
  • Content of URLs, clipboard text, or file contents (except for storage)
  • Passwords are never logged, only stored as bcrypt hashes
  • Personal information beyond what's voluntarily shared

Security Audits

We conduct regular security reviews and maintain audit trails:

  • Code Review: All code changes undergo peer review before deployment to production.
  • Dependency Scanning: Automated vulnerability scanning of all npm dependencies using npm audit and Dependabot.
  • Security Headers: Implementation of comprehensive security headers including CSP, HSTS, X-Frame-Options, and more.
  • Penetration Testing: Regular security testing to identify and fix vulnerabilities before they can be exploited.

Infrastructure Security

Our infrastructure is built with security as a priority:

  • Secure Hosting: Hosted on enterprise-grade infrastructure with DDoS protection and firewall rules.
  • Database Security: MongoDB with authentication, authorization, and encrypted connections. TTL indexes for automatic data expiration.
  • CDN & Bot Protection: Cloudflare CDN with local image CAPTCHA to prevent abuse and ensure service availability.
  • 24/7 Monitoring: Real-time monitoring of service health, error rates, and security events.

Data Retention & Deletion

We implement automatic data deletion to minimize data retention:

  • Short links: Optional expiration (or retained until deleted)
  • Clipboard content: 1-168 hours (user-defined)
  • Files: 1-24 hours maximum retention
  • Analytics: Aggregated data retained for 90 days, individual events deleted after 30 days

Incident Response

In the event of a security incident, we have procedures to respond quickly: immediate investigation, containment of the issue, notification of affected users if necessary, and post-incident analysis to prevent future occurrences.

Compliance & Best Practices

We follow industry best practices and comply with relevant data protection regulations. Our service is designed with privacy-by-design principles, minimizing data collection and maximizing user control.

Security Contact

If you discover a security vulnerability, please report it responsibly through our website. We appreciate security researchers and will acknowledge your contribution.

Security & Encryption Policy | AM25.ir