Security at Vynix

• HTTPS everywhere, with traffic encrypted in transit using modern TLS.
• Secure authentication: passwords hashed with bcrypt and access tokens cryptographically signed.
• Access controls that scope every request to the right user, workspace and project.
• Defence-in-depth response headers (nosniff, frame protection, HSTS, referrer and permissions policy).

• Screenshots are encrypted at rest using authenticated encryption (libsodium).
• All uploads and API calls are encrypted in transit over TLS.
• Workspaces and projects are private by default, with no public access unless you explicitly share.
• Annotation data is scoped to the project that created it and never shared across accounts.

• Email and password sign-in, with optional two-factor authentication (TOTP) and single-use backup codes.
• Email verification and signed, single-use password-reset links.
• Sessions are protected with signed, expiring tokens.
• Audit logging records key security events such as sign-in and project creation or deletion.

The Vynix browser extension is built to capture only what an annotation needs. It deliberately never collects:

• Passwords or saved browser credentials.
• Cookies or session cookies.
• Authentication or bearer tokens, JWTs and API keys.
• localStorage or sessionStorage contents.