Security at Frodito

Your trust is our priority. We're committed to protecting your data.

Our Commitment to Security

At Frodito, security is at the core of everything we do. We understand that you're trusting us with sensitive team data and personal information. That's why we've implemented comprehensive security measures, industry best practices, and robust infrastructure to protect your data at every level.

This page outlines our security practices, technical safeguards, and compliance measures to give you confidence in the safety of your information.

Data Encryption

Encryption in Transit

All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) with strong cipher suites. This applies to:

  • Web application access (HTTPS)
  • Mobile application API calls
  • Authentication and session management
  • File uploads and downloads
  • Payment processing via Stripe

Encryption at Rest

Your data is encrypted when stored in our systems:

  • Passwords: Hashed using bcrypt with 10 salt rounds (industry-standard one-way encryption)
  • Database: MongoDB with encryption at rest enabled
  • File storage: AWS S3 with server-side encryption (SSE)
  • Backups: Encrypted database backups

Authentication and Access Control

Strong Password Requirements

We enforce strict password requirements to protect your account:

Minimum 12 characters
Uppercase letter
Lowercase letter
Number
Special character

Passwords are never stored in plain text and are hashed using bcrypt, a battle-tested cryptographic hashing algorithm designed for password security.

Token-Based Authentication

We use JSON Web Tokens (JWT) with a dual-token system for secure, stateless authentication:

  • Access Tokens: Short-lived (15 minutes) tokens for API authentication
  • Refresh Tokens: Longer-lived (7 days) tokens stored in secure HTTP-only cookies
  • Automatic expiration: Tokens expire and must be renewed regularly
  • Token rotation: New tokens issued on login, old tokens invalidated on logout
  • Database validation: Refresh tokens validated against server records to prevent unauthorized access

Role-Based Access Control (RBAC)

Team access is controlled through granular role-based permissions:

  • Owner: Full control over team settings, members, and billing
  • Admin: Manage members and team settings
  • Member: Access team prompts and content

Each API request is authenticated and authorized based on team membership and role before processing.

Application Security

Rate Limiting and DDoS Protection

We implement sophisticated rate limiting to prevent abuse and protect service availability:

Authentication endpoints5 requests per 15 minutesFeed endpoints30 requests per minuteTeam management20 requests per minuteGeneral API60 requests per minutePublic API100 requests per 15 minutes

HTTP Security Headers

We use Helmet.js to set security-focused HTTP response headers, protecting against common vulnerabilities:

  • X-Frame-Options to prevent clickjacking
  • X-Content-Type-Options to prevent MIME sniffing
  • Strict-Transport-Security (HSTS) to enforce HTTPS
  • X-XSS-Protection for cross-site scripting mitigation
  • Referrer-Policy for privacy control

Input Validation and Sanitization

All user input is validated and sanitized to prevent injection attacks:

  • Email format validation using validator.js
  • MongoDB ObjectId validation before database queries
  • Schema-level validation with Mongoose
  • Request size limits (10MB maximum) to prevent resource exhaustion
  • String normalization (trimming, lowercase conversion where appropriate)
  • Enum restrictions on status and type fields

Cross-Origin Resource Sharing (CORS)

Our API implements strict CORS policies with an allowlist of approved origins. Only requests from our web application (frodito.com) and authorized domains are permitted, preventing unauthorized cross-origin requests.

Secure Session Management

  • HTTP-only cookies prevent JavaScript access to sensitive tokens
  • SameSite cookie attribute prevents CSRF attacks
  • Secure cookie flag ensures transmission only over HTTPS
  • Automatic token expiration and cleanup

Data Storage and Privacy

Minimal Data Retention

We minimize data retention to reduce risk and protect your privacy:

  • Posts and responses: Automatically deleted after 24 hours using TTL (Time-To-Live) indexes
  • Daily prompts: Automatically deleted at end of day
  • Team invitations: Auto-expire after 7 days
  • Session tokens: Expire after 7 days and are automatically purged

This ephemeral approach ensures that sensitive team content doesn't persist indefinitely, reducing exposure risk.

Database Security

  • Connection pooling (10-50 connections) for stability and performance
  • Indexed fields for optimized queries and reduced attack surface
  • Unique constraints on critical fields (email, payment IDs)
  • No direct database access from public internet
  • Regular automated backups with encryption
  • Database credentials stored in secure environment variables

Data Isolation

Team data is strictly isolated. Users can only access content from teams they're members of. All queries are filtered by team membership, and authorization checks are performed before any data access operation.

Geographic Data Storage

Your data is primarily stored in the European Union (AWS EU-West-1 region) to comply with GDPR and provide data sovereignty for European customers.

Payment Security

We never handle or store your credit card information. All payment processing is managed by Stripe, a PCI-DSS Level 1 certified payment processor — the highest level of security certification in the payments industry.

What Stripe handles:

  • Credit card processing
  • Secure card storage
  • Payment authentication (3D Secure)
  • Fraud detection and prevention
  • PCI compliance

What we store:

  • Stripe Customer ID (anonymous identifier)
  • Subscription status and plan information
  • Billing period dates

No card numbers, CVVs, or sensitive payment data is ever stored on our servers.

Webhook Security

Stripe webhooks are verified using signature validation to ensure that payment events are authentic and haven't been tampered with. We validate every webhook request before processing to prevent fraudulent subscription changes.

Infrastructure and Hosting

Cloud Service Providers

We use industry-leading, security-certified cloud providers:

Amazon Web Services

S3 for file storage (EU-West-1)
ISO 27001, SOC 2 certified

MongoDB Atlas

Database hosting
SOC 2 Type II certified

Render.com

Application hosting
Enterprise-grade infrastructure

Network Security

  • Firewalls and network segmentation
  • Private network communication between services
  • No direct SSH access to production databases
  • Regular security patches and updates
  • DDoS mitigation at infrastructure level

Compliance and Standards

GDPR Compliance

We comply with the EU General Data Protection Regulation, giving you control over your personal data with rights to access, rectify, delete, and port your information.

Data Protection

We follow industry best practices for data protection, including encryption, access controls, and minimal data retention policies.

PCI Compliance

Payment card data is handled exclusively by Stripe, a PCI-DSS Level 1 certified processor, ensuring the highest payment security standards.

Privacy by Design

Security and privacy are built into every feature from the ground up, with automatic data expiration and minimal data collection.

Incident Response

In the unlikely event of a security incident:

  • We have an incident response plan to quickly identify, contain, and remediate security issues
  • Affected users will be notified within 72 hours as required by GDPR
  • We will provide clear information about what happened and what steps we're taking
  • Post-incident analysis and improvements will be implemented
  • We maintain detailed security logs for forensic analysis

Our commitment is to transparency, rapid response, and continuous improvement of our security posture.

Your Role in Security

Security is a shared responsibility. Here's how you can help protect your account:

Do:

  • Use a strong, unique password
  • Log out on shared devices
  • Keep your email account secure
  • Review team member access regularly
  • Report suspicious activity immediately
  • Keep your mobile app updated

Don't:

  • Share your password with anyone
  • Use the same password for multiple services
  • Click suspicious links in emails
  • Provide your login credentials to third parties
  • Use public Wi-Fi without a VPN
  • Leave your account logged in unattended

Responsible Disclosure

We welcome security researchers and ethical hackers to help us maintain the security of Frodito. If you discover a security vulnerability, please:

  1. Email us at support@frodito.com with details of the vulnerability
  2. Give us reasonable time to respond and fix the issue before public disclosure
  3. Avoid accessing or modifying user data without permission
  4. Do not use vulnerabilities for malicious purposes

We commit to acknowledging your report within 48 hours and keeping you informed of our progress. We appreciate responsible disclosure and will recognize researchers who help us improve our security.

Continuous Improvement

Security is not a one-time effort. We continuously improve our security posture through:

  • Regular security audits and assessments
  • Dependency updates and vulnerability scanning
  • Monitoring security advisories for our technology stack
  • Team security training and awareness programs
  • Penetration testing and code reviews
  • Staying current with industry best practices and emerging threats

Contact Our Security Team

Have questions about our security practices? Want to report a security concern?

Security Issues: support@frodito.com

Privacy Questions: support@frodito.com

General Support: support@frodito.com

Your trust means everything to us. We're committed to earning it every day.

Back to Home Privacy Policy Terms of Service