How We Keep Your
Data Safe

Authentication & Sessions

• —Firebase Authentication with secure email-based identity management
• —HMAC-SHA256 signed session cookies for edge-compatible middleware
• —Session cookies are httpOnly, Secure, and SameSite=Strict — inaccessible to JavaScript and cross-site requests
• —D Number + Surname dual validation required for DTAP simulator access
• —All protected routes (dashboard, profile) guarded by server-side middleware
• —Automatic session expiry and re-authentication on return visits

Data Storage & Access

• —Firebase Firestore with granular security rules enforced at the database level
• —Users can only read and write their own documents — enforced server-side, not client-side
• —Counter and system-level documents have no client access whatsoever
• —All data encrypted at rest using Google Cloud infrastructure
• —All data encrypted in transit using TLS 1.2 or higher
• —Firebase Admin SDK used exclusively server-side — never exposed to the client

API Security

• —DTAP_GAME_API_KEY required on all simulator-to-platform API calls
• —Rate limiting on /api/validate: maximum 10 requests per minute per IP address
• —Rate limiting on /api/register to prevent automated account creation
• —401 Unauthorized returned on invalid D Number or surname mismatch
• —403 Forbidden returned on missing or invalid API key
• —All API routes use Next.js server-side route handlers — no client exposure

Infrastructure & Headers

• —HTTPS enforced on all endpoints via Vercel — no plain HTTP connections accepted
• —Content Security Policy (CSP) headers configured on all responses
• —X-Frame-Options: DENY — prevents clickjacking attacks
• —X-Content-Type-Options: nosniff — prevents MIME type sniffing
• —app.simulyn.io fully blocked from search engine indexing via robots.txt
• —Environment variables for all secrets — never hardcoded in source code

Payment Security

• —All payment processing handled exclusively by Stripe
• —SimuLyn OÜ does not store, process, or have access to card details at any point
• —Stripe is PCI DSS Level 1 certified — the highest level of payment security
• —Webhook signatures verified server-side to prevent payment event spoofing
• —No card data ever passes through Simulyn servers or databases

Incident Response

• —Security incidents are assessed and triaged within 24 hours of detection
• —Affected users are notified within 72 hours of confirmed data breach, in compliance with GDPR Article 33
• —Relevant supervisory authority (Estonian Data Protection Inspectorate) notified as required
• —Account suspension procedures in place for compromised accounts
• —Contact contact@simulyn.io immediately if you suspect a security incident

Principle of Least Privilege

Access to production systems and user data is restricted to only those with a legitimate operational need. No unnecessary permissions are granted at any level of the stack.

Secure Development Practices

All secret keys and API credentials are managed as environment variables and never committed to source control. Production and development environments are strictly separated.

GDPR Compliance

SimuLyn OÜ operates as a data controller under GDPR as an EU-registered entity. Data processing agreements are in place with all third-party service providers who handle personal data.

Minimal Data Collection

We collect only the personal data that is strictly necessary to provide our service. We do not collect or retain data beyond what is described in our Privacy Policy.

Third-Party Vetting

We select service providers with strong security credentials: Google Cloud (Firebase), Stripe (PCI DSS Level 1), Resend, and Vercel — all of which operate under robust data protection frameworks.

Continuous Review

Our security practices are reviewed and updated on an ongoing basis to address new threats, changes in technology, and developments in applicable security standards.