How we protect your data, code, and account.
All connections are encrypted with TLS 1.3. API requests, WebSocket connections, and OAuth flows are fully encrypted.
Google OAuth 2.0 with PKCE. Sessions use signed JWTs with short expiry and secure httpOnly cookies.
All payments are processed by Stripe. We never store card numbers, CVVs, or bank details on our servers.
Your generated code is delivered to your local machine. We do not store game code or prompts on our servers after generation completes.
Server-side secrets are stored in encrypted environment variables. They are never exposed to the client.
X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, and strict CORS policies on all responses.
Found a vulnerability? Responsible disclosure is appreciated.
Contact security@oofstudio.app