Room Prompt
Loading...

Security

Your security and privacy are our top priorities. This page outlines the security measures we implement to protect your data.

Authentication & Access Control

OAuth 2.0 with Google

We use Google OAuth 2.0 for authentication, eliminating the need for password management on our platform. Benefits include:

  • No passwords stored on our servers
  • Industry-standard OAuth 2.0 protocol
  • Two-factor authentication support (via your Google account)
  • Secure token-based authentication

Better Auth Framework

Our authentication is powered by Better Auth, a modern authentication library with:

  • Secure session management with token rotation
  • CSRF protection on all authenticated requests
  • Automatic session expiration after 30 days of inactivity
  • IP address and user agent tracking for anomaly detection
  • Secure cookie handling with HttpOnly and SameSite flags

Session Security

Every session includes:

  • Unique session tokens: Cryptographically secure random tokens
  • IP address tracking: Detect suspicious login locations
  • User agent tracking: Identify device changes
  • Expiration timestamps: Automatic logout after inactivity

Database Security

PostgreSQL with Encryption

We use PostgreSQL for data storage with the following security measures:

  • Encryption at rest: All data is encrypted on disk
  • Encryption in transit: TLS/SSL for all database connections
  • Access control: Role-based permissions and least privilege principle
  • Connection pooling: Managed via secure connection strings
  • Automatic backups: Regular encrypted backups with point-in-time recovery

Drizzle ORM

We use Drizzle ORM for database operations, providing:

  • Type-safe SQL queries preventing injection attacks
  • Parameterized queries for all user inputs
  • Schema validation and type checking
  • Automatic escaping of dangerous characters

Transaction Atomicity

Critical operations like credit spending and purchases use database transactions to ensure:

  • All-or-nothing execution (no partial failures)
  • Prevention of race conditions in concurrent operations
  • Accurate credit balance tracking
  • Idempotency for payment webhooks (duplicate protection)

Infrastructure & Hosting

Vercel Platform

Room Prompt is hosted on Vercel, providing:

  • Enterprise-grade security and compliance (SOC 2 Type II certified)
  • Automatic HTTPS with TLS 1.3
  • DDoS protection and WAF (Web Application Firewall)
  • Edge network with global CDN for fast, secure delivery
  • Zero-downtime deployments

Vercel Blob Storage

User-uploaded and AI-generated images are stored on Vercel Blob Storage with:

  • Private access by default (requires authentication)
  • Encryption at rest and in transit
  • Unique, non-guessable URLs
  • Automatic content type validation

Environment Variables

Sensitive configuration (API keys, database credentials) is stored as:

  • Encrypted environment variables on Vercel
  • Never committed to version control
  • Separate configurations for development and production
  • Automatic rotation policies for secrets

API & Third-Party Security

OpenRouter / Google Gemini AI

Image generation uses OpenRouter as a gateway to Google Gemini 2.5 Flash Image:

  • API key authentication with secure headers
  • Images transmitted over HTTPS
  • No long-term image storage by OpenRouter
  • Request tracking with HTTP-Referer and X-Title headers

Polar Payment Processing

Polar handles all payment processing with PCI DSS compliance:

  • We never store or handle credit card information
  • Webhook signature verification for all payment events
  • Idempotency checks to prevent duplicate credit awards
  • Secure sandbox environment for testing

Rate Limiting

API endpoints implement rate limiting to prevent abuse:

  • Per-user rate limits on image generation
  • Credit-based throttling (1 credit per generation)
  • Protection against brute force attacks
  • Automatic blocking of suspicious activity

Monitoring & Incident Response

Application Monitoring

  • Real-time error tracking and alerting
  • Performance monitoring for API endpoints
  • Anomaly detection for unusual patterns
  • Audit logs for sensitive operations (credit spending, payments)

Security Updates

  • Automatic dependency updates via Dependabot
  • Regular security audits of npm packages
  • Prompt patching of critical vulnerabilities
  • TypeScript strict mode for type safety

Incident Response

In the event of a security incident, we:

  • Immediately investigate and contain the issue
  • Notify affected users within 72 hours
  • Document the incident and response actions
  • Implement preventive measures to avoid recurrence

Development & Deployment Security

Secure Development Practices

  • TypeScript: Type safety to prevent runtime errors
  • ESLint: Automated code quality and security checks
  • Testing: Unit, integration, and E2E tests for critical flows
  • Code review: All changes reviewed before deployment
  • Git: Version control with protected branches

Deployment Pipeline

  • Automated testing before each deployment
  • Production builds with optimized security headers
  • Database migrations with rollback capability
  • Zero-downtime deployments

Security Best Practices

What We Recommend

To maximize your account security:

  • Enable two-factor authentication (2FA) on your Google account
  • Use a strong, unique password for your Google account
  • Keep your browser and operating system up to date
  • Log out from shared or public devices
  • Review your session activity regularly
  • Report suspicious activity immediately

What We Never Do

  • We never ask for your Google password
  • We never store credit card information
  • We never sell your personal data to third parties
  • We never send unsolicited emails asking for sensitive information

Data Protection Compliance

Room Prompt is committed to compliance with data protection regulations including:

  • GDPR: General Data Protection Regulation (EU)
  • CCPA: California Consumer Privacy Act
  • SOC 2: Via Vercel hosting infrastructure

For more information on how we handle your data, see our Privacy Policy.

Responsible Disclosure

If you discover a security vulnerability in Room Prompt, we encourage responsible disclosure:

  • Email us at security@roomprompt.app
  • Provide detailed information about the vulnerability
  • Allow us reasonable time to address the issue before public disclosure
  • We will acknowledge your report within 48 hours

We appreciate the security research community's efforts in keeping Room Prompt safe.

Questions?

If you have questions about our security practices, please contact us:

Security - Room Prompt