1. Infrastructure
- HTTPS everywhere on downitx.com and subdomains
- API hosted on Fly.io with isolated volumes for user files
- Frontend on Vercel with security headers and content security policy
- OpenCut editor database isolated in a dedicated Postgres schema
2. Authentication
- Passwords hashed with industry-standard algorithms
- JWT sessions with configurable expiry
- Rate limiting on login, registration, and webhooks
- Admin access restricted to explicitly seeded production accounts
3. Secrets & BYOA
OpenRouter API keys you add in Settings are encrypted at rest and used only for your subtitle jobs. We never log raw API keys in application logs.
4. Payments
Card data is handled entirely by Stripe. We store Stripe customer IDs and subscription status only — not full payment card numbers.
5. Reporting vulnerabilities
If you discover a security issue, email support@downitx.com with details. Please do not publicly disclose before we have had a reasonable time to respond.