Security
How we protect your data and keep ProjHQ secure.
Encryption
All data is encrypted in transit via TLS 1.3 (Cloudflare). Database connections use encrypted channels. Sensitive credentials are stored as environment variables, never in code.
Authentication
GitHub OAuth 2.0 with server-side flow. Session tokens are HTTP-only, Secure cookies with SameSite protection. No passwords stored.
Infrastructure
Hosted on DigitalOcean with Coolify for deployment orchestration. Cloudflare provides DDoS protection and WAF. PgBouncer manages database connection pooling.
AI Safety
AI features require explicit organization consent. Input sanitization prevents prompt injection. Rate limiting and abuse detection protect against misuse. Your data is never used to train models.
Access Controls
ProjHQ implements role-based access control (RBAC) at multiple levels: site-level admin roles (super admin, moderator), organization-level roles (owner, deputy, member), and project-level roles (lead, deputy lead, member). Each role has specific permissions that cannot be escalated without proper authorization.
Rate Limiting & Abuse Detection
All API endpoints and AI features are rate-limited using Redis-backed atomic counters. Our abuse detection system monitors for suspicious patterns such as organization hopping, excessive token usage, and unusual access patterns. When abuse is detected, the system automatically suspends AI access and notifies administrators.
Vulnerability Reporting
If you discover a security vulnerability in ProjHQ, please report it responsibly by contacting [email protected]. We take all reports seriously and will respond within 48 hours. Please do not disclose the vulnerability publicly until we have had an opportunity to address it.
Data Retention
AI usage logs are retained based on your subscription tier (7 to 180 days). Project data is retained as long as the organization is active. When an organization is deleted, all associated data is permanently removed within 30 days.