Trust
Security
Last updated: May 11, 2026
This page summarizes security-relevant behavior of the Discrofy V2 application as shipped in this repository. Your production posture also depends on how you host Postgres, secrets, TLS certificates, and network access.
Transport and sessions
Browser traffic to the production website should be served over HTTPS. Dashboard authentication uses signed, HTTP-only session cookies. Platform admin uses a separate cookie and opaque server-side session records.
Credentials and secrets
User passwords are stored as one-way hashes (not reversible plaintext). API keys and secrets (for example database URLs, Stripe keys, Discord client secrets, AI provider keys) belong in environment variables or a secrets manager—never in client-side bundles.
Data at rest
Encryption at rest for the application database and backups is provided by your infrastructure provider (for example disk encryption managed by the cloud vendor). Discrofy does not implement a separate application-layer encryption envelope for all tables by default.
Access and subprocessors
Operational access to production systems should follow least privilege for your team. Customer content may flow through subprocessors you enable—such as Discord, Stripe, Resend, and configured AI vendors—under their respective security programs.
Responsible disclosure
If you believe you have found a security vulnerability, email [email protected] with enough detail to reproduce the issue. Please allow reasonable time for a fix before public disclosure.
Two-factor authentication
Workspace users can enable TOTP-based two-factor authentication from Settings → Security. When enabled, sign-in requires a time-based code from an authenticator app (or a one-time backup code). Sensitive actions — unlinking servers, disconnecting Discord, blueprint replace apply, and billing changes — also require password confirmation and, when 2FA is on, a valid code.
Platform admin console access uses a separate admin session and TOTP flow; tenant 2FA does not replace admin credentials.
Compliance claims
Certifications (for example SOC 2) and formal penetration test reports are not claimed by this marketing page. Customers requiring evidence should request it under contract.