Security & privacy

Real security, no theatre.

We built LinkVerse.Work on the idea that trust isn't asked for — it's demonstrated. Here is exactly what we do to protect your data, and what we don't yet.

We don't ask you to trust us. We show you how trust is built — layer by layer, decision by decision.

Layers of protection

Six pillars holding up the platform

Each one is implemented and active right now, today, in production.

Encrypted communication

All traffic between your browser and LinkVerse.Work uses TLS 1.3 with forward secrecy. Insecure versions are disabled at the server.

TLS 1.3

Password hashing

Your passwords are never stored as plaintext. We use bcrypt — industry-standard, OWASP-recommended — with a random per-user salt.

argon2id

Two-factor authentication

TOTP support via Google Authenticator, Authy or 1Password. Compatible with any app that follows the RFC 6238 standard.

RFC 6238

Social login via OAuth

Native integration with Google, Microsoft, GitHub, Discord, Facebook and LinkedIn. We never receive your password — only the authorised token.

OAuth 2.0

OWASP Top 10 defences

CSRF tokens on every form, automatic XSS escaping, parameterised queries against SQLi, proper security headers.

CSRF · XSS · SQLi

Data in PostgreSQL

PostgreSQL 16 database with encryption at rest, daily encrypted backups and role separation to scope access.

PostgreSQL · Backups
Architecture

How your data travels

Every connection between components is encrypted and authenticated. Your request flows through these layers:

Your browser
TLS 1.3
Cloudflare Edge WAF + DDoS
WAF · DDoS
LinkVerse.Work app PHP-FPM · Nginx
Internal TLS
Database PostgreSQL 16
No personal data leaves the European Union. All servers are hosted in ISO 27001 certified EU datacentres.
Our commitments

What we promise — and deliver

Zero third-party tracking

No Google Analytics, no Facebook Pixel, none of that. We don't sell your data. You pay with money, never with attention.

Your data is yours

Right to access, rectify, port and erase — always, two clicks. GDPR-compliant from day one.

Real deletion

When you delete your account, it really is gone. No eternal "soft delete". Data is removed from backups within 30 days.

EU hosting

Servers in European datacentres. Your data doesn't cross the Atlantic and isn't subject to the US CLOUD Act.

What we don't yet have — and we admit it

We aim for production-grade quality, not to look more than we are. Here is what we cannot yet promise:

  • SOC 2 or ISO 27001 certification (we haven't passed the audit yet — it's on the roadmap).
  • Contractual 99.9% SLA (we don't have enough operational history to guarantee it yet).
  • Enterprise SSO (SAML, SCIM) — available for Enterprise customers when that tier launches.

When these change, we update this page. Not before.

Responsible disclosure

Found a vulnerability?

We are grateful to those who help us improve. We treat every report seriously and reply within 48 hours.

01

Report privately

Email [email protected] with a technical description, repro steps and estimated impact. Don't publish before the fix.

02

Acknowledged in 48h

You get an acknowledgement with an estimated fix window. For severe issues we act in hours.

03

Coordinated disclosure

Once fixed, you can publish your finding. We give public credit if you wish — always with your consent.

[email protected] PGP available on request

Trust built in code.

Create your account. Inspect the privacy controls. Decide for yourself.

Create account System status