Security

Trust is something we earn every day

SSHOW uses industry-standard encryption, least-privilege access controls, and continuous monitoring to protect your content and your account. Our policies and procedures are documented openly.

Principles

Four security commitments

Not features — promises. These shape every decision we make.

  • Encryption end to end

    TLS 1.2+ in transit, AES-256 at rest. No data leaves the boundary in cleartext.

  • Least-privilege access

    Role-based permissions and single-use tokens grant exactly what's needed — nothing more.

  • Continuous monitoring

    Anomalous logins and suspicious traffic patterns are detected and acted on in real time.

  • Recoverability

    Daily backups and multi-region replication mean data survives the worst day.

Data protection

How we store your content

Encryption in transit
All APIs and static assets are served only over HTTPS (TLS 1.2+). Plaintext requests are auto-upgraded; HSTS preload registration is in progress.
Encryption at rest
Project files, assets, and database backups are stored encrypted with AES-256. Passwords are one-way hashed with bcrypt (12 rounds) — we never see them.
Backups and replication
The database keeps daily automated backups plus hourly snapshots. Asset storage is asynchronously replicated across multiple regions.
Tenant isolation
Team and user data is logically isolated. Authorization checks run at every API boundary; there is no bypass path to raw storage.

Account security

Controls in your hands

Two-factor authentication (2FA)
Pair a TOTP authenticator app and your account stays safe even if your password leaks. Enable it under Settings → Security.
Session management
Review your active sessions and remotely sign out any device you don't recognize — instantly.
Sign-in history
Recent sign-in attempts are logged with IP and device metadata. If you see something unfamiliar, rotate your password immediately.
Trusted devices
Mark your everyday devices as trusted to reduce friction without sacrificing the second factor on new hardware.

Responsible disclosure

Security researchers, please report it

If you discover a vulnerability, please tell our security team before disclosing publicly. We'll work with you all the way through the fix.

  1. 1

    Report privately

    Use the form or email below — not public channels. Include the impacted scope, reproduction steps, and environment details so we can triage quickly.

  2. 2

    Acknowledgment within 1 business day

    We confirm receipt within one business day and propose a timeline based on severity.

  3. 3

    Coordinated disclosure

    Once the fix is shipped, we publish on a mutually agreed date. Reporters are credited in our hall of thanks (if desired).

Report a vulnerability [email protected]

Please do not publicly disclose unpatched vulnerabilities — affected users need to be protected first.

Need deeper security documentation?

We can help with enterprise evaluations, security questionnaires, and DPA requests.

Contact our security team Read the Privacy Policy