Encryption & Security

Security is a design principle at Zlyqor, not an afterthought. This page documents how we protect your data at rest, in transit, and throughout our infrastructure — from the moment you type your password to the moment your data is stored on disk.

1. Data in Transit

All data transmitted between your browser or desktop app and our servers is encrypted using TLS 1.3 — the current industry standard. We enforce HTTPS for all connections and use HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks. Connections over legacy TLS versions (1.0 and 1.1) are explicitly rejected. Our TLS certificates are issued by a trusted Certificate Authority and are automatically renewed before expiry to ensure continuous encryption coverage.

2. Data at Rest

All data stored in our MongoDB database is encrypted at rest using AES-256 — the Advanced Encryption Standard with a 256-bit key, widely adopted for its combination of performance and cryptographic strength. Encryption is applied at the infrastructure (volume) level by our hosting provider, meaning the underlying storage media is encrypted independently of the application layer. Encryption keys are managed separately from the encrypted data, following the principle of key separation to prevent a single point of compromise.

3. Password Security

User passwords are never stored in plaintext — not in the database, not in logs, not anywhere. We use the bcrypt hashing algorithm with a cost factor of 12, which deliberately makes brute-force attacks computationally expensive. Each password hash includes a unique salt, preventing rainbow-table attacks. When you reset your password, the previous hash is invalidated immediately. We enforce a minimum password length and compare new passwords against a curated list of known-breached credentials to prevent the use of commonly compromised passwords.

4. Authentication Tokens

Zlyqor uses JWT (JSON Web Tokens) for session management. Our token implementation follows security best practices:

• Stored in HTTP-only, Secure, SameSite=Strict cookies — not in localStorage or sessionStorage, making them inaccessible to JavaScript and resistant to XSS attacks
• Short-lived by default — tokens expire after 7 days and are not silently renewed without user interaction
• Immediately invalidated on logout or password change — there is no grace period where an old token remains valid
• Signed with a secret key that is stored securely in environment variables and rotated periodically

We do not use OAuth or delegate authentication to third-party identity providers — all credentials are handled directly by Pristren, giving you full control over your account security without external dependencies.

5. Desktop Agent Privacy

The Zlyqor Agent (desktop app) collects only what is necessary for time tracking:

• Active application name (e.g., "Visual Studio Code")
• Window title (e.g., "project.ts — MyProject")
• Active, idle, and focus time durations

The Agent does not take screenshots, record audio or video, log keystrokes, read clipboard content, access file contents, or transmit any sensitive screen data. All collected data is transmitted to our servers over TLS and is immediately visible to you in your Tracking dashboard. You can pause or stop the Agent at any time from the menu bar icon.

6. Infrastructure Security

Our infrastructure is hosted in European data centres with providers holding SOC 2 Type II certification. Our operational security practices include:

• Principle of least privilege: internal team members have access only to the systems and data required for their role
• Network isolation between services: the database layer is not publicly accessible and communicates only with authorised application services
• Regular dependency updates: we monitor for known CVEs and apply security patches promptly
• Automated vulnerability scanning: continuous scanning of our codebase and dependencies for security issues
• Security monitoring and alerting: automated detection of anomalous access patterns, failed authentication spikes, and other indicators of compromise

7. Responsible Disclosure

If you discover a security vulnerability in Zlyqor, we encourage you to report it responsibly. Please email a description of the issue, steps to reproduce it, and any relevant proof-of-concept to security@zlyqor.com. We will acknowledge your report within 48 hours and keep you updated on our progress. We aim to resolve critical issues within 7 days of confirmed receipt. We do not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided they do not exploit or publicly disclose the issue before it is resolved.