◐ Security Architecture
How we protect the platform and its users
○ Multi-Layer Protection
Transport Security
All traffic encrypted via TLS 1.3 between your browser and our servers
Application Security
Input validation, sanitization, and protection against common web vulnerabilities
Data Security
AES-256-GCM encryption at rest, HMAC hashing for identifiers
Infrastructure Security
Hosted on Vercel with automatic DDoS protection and edge security
○ Rate Limiting
Multiple rate limiting layers prevent abuse without impacting legitimate users:
Per-Device Limits
Prevents single device from flooding the system
Cooldown Periods
Enforced waiting time between submissions
Daily Windows
Limits reset automatically each day
Abuse Detection
Pattern analysis identifies suspicious behavior
○ Abuse Prevention
- ◦Device Fingerprinting — Non-identifying hash tracks devices for rate limiting
- ◦Cookie Tracking — Persistent abuse prevention cookies
- ◦IP Analysis — Hashed IP detection without storing actual addresses
- ◦Spam Detection — Content analysis for repetitive or malicious patterns
- ◦VPN/Proxy Detection — Monitoring for anonymization service abuse
○ Authentication Security
OAuth 2.0 with Google
We use Google OAuth for authentication — we never see or store your Google password. Sessions are managed with secure, httpOnly cookies.
Admin Verification
Admin access is restricted to a single hardcoded email address verified server-side. No client-side privilege escalation is possible.
Role-Based Access
Users can only access their own data. Applicants see only their feedback. Admins have moderation access with full audit logging.
○ Trust & Verification System
○ Audit Logging
All administrative actions are logged for accountability:
- •Application status changes (approve, reject, delete)
- •Feedback deletions with hashed identifiers
- •Admin access timestamps and actions
- •System security events