Security

Your data, locked down

PLVN is built with security as a first-class concern — not an afterthought. Here is an honest account of how we protect the data you entrust to us.

PLVN security infrastructure
Infrastructure

Hosted on hardened infrastructure

PLVN runs on Railway, a cloud platform built on SOC 2 Type II compliant infrastructure. Every layer of the stack — compute, networking, and storage — benefits from Railway's enterprise-grade security controls.

SOC 2 Infrastructure

Railway's underlying cloud infrastructure is SOC 2 Type II audited. Network isolation, access controls, and physical security are handled at the platform level. We inherit these controls and augment them with our own application-level safeguards.

Encrypted at Rest

All data stored on PLVN's database servers is encrypted using AES-256, the same standard used by banks and government systems. This includes your event data, account details, and any documents or images you upload to the platform.

TLS 1.3 in Transit

All data transmitted between your device and PLVN's servers is encrypted using TLS 1.3 — the latest and most secure version of the transport layer security protocol. Older, weaker TLS versions (1.0 and 1.1) are disabled entirely. Connections are rejected if they do not meet this standard.

Application

Secure by design

Security practices are baked into how PLVN's application is built, not applied as a layer on top. From authentication to database queries, we follow industry best practices throughout the codebase.

JWT Authentication

PLVN uses short-lived JSON Web Tokens (JWTs) signed with RS256 for all API authentication. Tokens expire quickly and are validated on every request. Refresh tokens are stored server-side so they can be revoked immediately on logout or suspected compromise. We do not use session cookies that can be hijacked via cross-site scripting.

bcrypt Password Hashing

User passwords are never stored in plaintext or with reversible encryption. We use bcrypt with a cost factor tuned to current hardware, which means that even if our database were ever compromised, passwords could not be practically recovered. We also enforce a minimum password strength policy at registration.

Parameterised Queries

Every database query in the PLVN codebase uses parameterised statements or an ORM's built-in query builder. We do not interpolate user-supplied data directly into SQL strings. This eliminates SQL injection as an attack surface entirely. Input validation is applied at the API layer as a further defence-in-depth measure.

Rate Limiting

Abuse prevention on every endpoint

All public-facing PLVN API endpoints are protected by rate limiting at the network edge. Authentication endpoints (login, password reset, OTP verification) have significantly stricter limits than general API calls. Clients that exceed rate limits receive a 429 response; persistent abusers are blocked at the IP level. This mitigates credential stuffing, brute-force attacks, and denial-of-service attempts.

Engineering Practices

Security built into our workflow

Good security is not just about runtime controls. It requires discipline throughout the development and deployment lifecycle.

Dependency Scanning

Every pull request triggers an automated dependency audit that checks all third-party packages against the National Vulnerability Database (NVD) and GitHub Advisory Database. Critical and high-severity vulnerabilities block the build. We review and patch vulnerable dependencies as a P1 task within 48 hours of disclosure.

No Secrets in Source Code

API keys, database credentials, JWT signing keys, and all other secrets are stored exclusively as environment variables in Railway's encrypted secrets manager. They are never committed to version control. A pre-commit hook scans every commit for common secret patterns (API key formats, private keys, connection strings) and rejects the commit if any are detected.

Pre-Commit Security Hooks

Our repository enforces pre-commit hooks that run static analysis, lint for dangerous patterns (eval, unsafe deserialisation, direct HTML injection), and check for accidentally committed .env files. These checks run locally before code ever reaches our CI pipeline, catching issues at the earliest possible moment.

Responsible Disclosure

PLVN takes security vulnerabilities seriously. If you believe you have discovered a security issue in our platform, we want to hear from you. We operate a coordinated disclosure policy and commit to working with researchers in good faith.

How to Report

Email your findings to [email protected]. Please include:

  • A clear description of the vulnerability and the potential impact.
  • Steps to reproduce the issue, including any URLs, payloads, or screenshots that help us understand and reproduce it.
  • Your name or handle (if you wish to be credited) and a contact email for follow-up.

Please encrypt sensitive reports using our PGP public key, available on request from the same address.

Our Commitments to You

  • Acknowledgement. We will acknowledge receipt of your report within 2 business days.
  • Communication. We will keep you informed of our progress and let you know when the vulnerability has been confirmed, when a fix is in development, and when it has been deployed.
  • 90-day coordinated disclosure window. We ask that you give us 90 days from the date of acknowledgement to investigate and remediate the issue before public disclosure. If we need more time due to complexity, we will communicate this and work with you on an extended timeline. If we miss the deadline without communication, you are free to disclose.
  • No legal action. Provided you conduct your research in good faith — meaning you do not access or exfiltrate real user data, do not degrade service availability, and do not use findings for personal gain — we will not pursue legal action against you in connection with your research.
  • Credit. We will publicly credit researchers who responsibly disclose valid vulnerabilities, if they wish to be named.

Scope

In-scope targets include plvnapp.com and all its subdomains, the PLVN iOS and Android apps, and the PLVN API (api.plvnapp.com). Out-of-scope issues include denial-of-service attacks, social engineering of PLVN staff, physical attacks, and vulnerabilities in third-party services we use (please report those directly to the relevant vendor).

We do not currently offer a monetary bug bounty programme, but we sincerely appreciate the work of security researchers who help make PLVN safer for everyone.