This page explains — in plain language — every security control we've built into MediaKit Lab. No marketing fluff. Just what we actually do, how it works, and where you can manage it.
Passwords are hashed with bcrypt at 12 rounds — the same algorithm used in banking software. We store only the hash, never the raw password. Even a full database breach exposes nothing usable. Sessions are issued as AES-256-GCM encrypted cookies (iron-session) with a 7-day sliding TTL. Your session token is mathematically impossible to forge without the server's secret key.
Enable TOTP-based 2FA from your account settings. We generate a one-time secret, display a QR code you scan with Google Authenticator, Authy, or any RFC 6238-compatible app, then verify a live 6-digit code before activating. After enabling, every login requires both your password and a fresh OTP that expires in 30 seconds. Failed OTP attempts are rate-limited to 5 tries per 5 minutes — brute-forcing a TOTP is computationally infeasible before the window expires.
Set up 2FA in settings →Every time you log in — from any device, any browser — we record that session with its IP address, device type, browser, and last-seen timestamp. You can see all active sessions from your settings page. Revoking a single session blacklists it in Redis immediately; even if someone has your session cookie, it's worthless the moment you revoke it. 'Sign out everywhere' terminates all sessions and redirects every active device to the login page within seconds.
Manage your sessions →Every sensitive endpoint has layered rate limiting via Upstash Redis. Login: 10 attempts per window before a 429 response. OTP confirmation: 5 attempts per 5 minutes, scoped to your user ID. Data export: 3 requests per hour — prevents automated scraping of your own data. All limits are keyed to user identity, not IP address, so shared networks (coworking, mobile hotspot) don't trigger false positives for other users.
Every piece of data you've entered into MediaKit Lab — rate cards, brand deals, invoices, media kit content, session history — is exportable in a single click from your Data & Privacy settings. We return a structured JSON archive that you can open, parse, back up, or import into another tool. This is a real-time export: it reflects your current data at the moment you click. Export is rate-limited to 3 times per hour to prevent abuse.
Export your data →From your Data & Privacy settings, you can request permanent account deletion. After you confirm by typing your email address, we schedule deletion 30 days out — giving you time to cancel if it was a mistake. After 30 days, your account, all personal data, all brand deal records, all invoices, all media kit content, and all rate cards are permanently and irrecoverably deleted from our database and backups. We send you a confirmation email when deletion is complete.
Delete account settings →Shared media kits are controlled entirely by you. Hide your rate card from the public view so brands see your work without seeing your pricing upfront. Set an expiry date on any shared link — the moment the date passes, the link stops working without any action from you. Revoke a live link instantly; anyone with the old URL will hit a 404. None of these changes affect your saved media kit — only what's visible at the shared URL.
When you share an invoice publicly, we track every view with a timestamp. The first time anyone opens your invoice link, you get an email notification — so you know the brand has seen it, and you can follow up with confidence. View count and the last-viewed timestamp are visible in your saved invoices list. Your bank account number is always masked to the last four digits in the public view.
Our Google OAuth flow implements the full state parameter CSRF protection required by the OAuth 2.0 specification. We generate a cryptographically random state value, bind it to an HttpOnly cookie, and verify that the state returned from Google matches exactly before processing the callback. A mismatch — which would indicate a CSRF attack — immediately aborts the flow. OAuth-only accounts cannot use the password login endpoint.
All traffic is served over HTTPS with TLS 1.2+. Session cookies are encrypted with AES-256-GCM (iron-session) and marked HttpOnly and SameSite=Strict — they cannot be read by JavaScript or sent cross-origin. Your invoice bank account number is stored in full in the database (needed for PDF generation) but masked to ****XXXX in all API responses and public views. We do not store payment card data — ever.
MediaKit Lab is designed for the DPDP Act 2023 — India's first comprehensive data protection legislation. Your rights include: access (download your data), correction (update your profile), erasure (delete your account), and grievance redressal (contact our DPO within 7 working days). We don't sell your data. We don't use it for ads. We don't share it with third parties except our infrastructure providers (MongoDB, Vercel, Upstash), who are bound by data processing agreements.
Read our full DPDP Act compliance document →If you discover a security issue, please report it privately — not in a public GitHub issue or social post. We take all reports seriously and will respond within 2 business days. We don't have a bug bounty programme yet, but we will acknowledge and thank responsible disclosures publicly if you'd like.
security@mediakitlab.com