Last updated: March 2026
At Pixovia, security is foundational — not an afterthought. Every photo uploaded to Pixovia is a personal memory. We take our responsibility to protect that seriously.
This page explains the security measures we have in place and how you can report a vulnerability.
Infrastructure Security
Data encryption
- In transit: All data between your device and Pixovia is encrypted using TLS 1.3. We enforce HTTPS everywhere — HTTP connections are automatically redirected to HTTPS
- At rest: Photos and all database content are encrypted at rest using AES-256 through our storage provider (Supabase, backed by AWS in Singapore)
- Authentication tokens: Session tokens are stored in httpOnly cookies, not localStorage, to prevent XSS-based token theft
Hosting & infrastructure
- Database: Supabase PostgreSQL hosted in AWS ap-southeast-1 (Singapore) — SOC 2 Type II certified
- Application: Deployed on Vercel — SOC 2 Type II certified, with automatic DDoS protection
- Storage: Supabase Storage backed by AWS S3 — AES-256 encryption at rest
- Payments: Processed by Stripe — PCI DSS Level 1 compliant. Pixovia never touches or stores raw card data
Access Control
Row-Level Security (RLS)
Our database enforces Row-Level Security policies at the database layer — not just application layer. This means:
- Hosts can only read and modify their own events and photos
- Guests can only upload to events that are active and accepting uploads
- No user can access another user's data, even if the application layer has a bug
- API keys and service role keys are never exposed to the client
Authentication
- Magic link login — hosts receive a time-limited (1 hour) single-use link sent to their email. No passwords are stored
- OAuth (Google, Facebook) — authentication tokens are handled by Supabase Auth; we do not store OAuth credentials
- Session expiry — sessions expire after 7 days of inactivity and require re-authentication
Guest access
- Guest event pages require only the event URL. For sensitive events, hosts can add a PIN/password for an additional layer of protection
- Guests do not have accounts; they cannot access any host dashboard or management functions
Application Security
Rate limiting
Upload endpoints are rate-limited to 10 uploads per IP address per minute to prevent abuse and protect against bulk upload attacks.
Input validation
- All file uploads are validated for MIME type and file size (max 20MB) before processing
- SQL injection is prevented by using parameterised queries via the Supabase client — raw SQL strings are never constructed from user input
- XSS prevention: React's built-in escaping handles output encoding; Content Security Policy (CSP) headers are configured at the Vercel edge
Dependency security
- We run automated dependency audits via
npm auditon every deployment - Critical security patches are applied within 24 hours of disclosure
- We use Dependabot (GitHub) for automated dependency update PRs
Content Safety
CSAM detection
Pixovia uses automated perceptual hash scanning against known CSAM databases (integrated at the upload layer) to detect and block child sexual abuse material. Any detected content is immediately removed and reported to the Singapore Police Force (SPF), the Internet Content Provider registration authority where applicable, and the NCMEC CyberTipline. The associated account is permanently banned.
Abuse reporting
If you encounter content on Pixovia that you believe violates our Terms of Service or applicable law, please report it immediately:
Email: abuse@pixovia.app Response SLA: We review abuse reports within 24 hours and act within 48 hours for urgent reports.
Data Breach Response
In the event of a confirmed data breach affecting personal data:
- We will contain the breach and assess its scope within 24 hours of discovery
- We will notify affected users by email within 72 hours of confirming the breach (as required by PDPA SG and PDPA TH)
- We will notify the relevant data protection authority as required by applicable law:
- Malaysia: JPDP (notifiable if involving sensitive personal data)
- Singapore: PDPC (mandatory for breaches affecting 500+ individuals)
- Thailand: PDPC TH (within 72 hours)
- We will publish a post-incident report within 30 days
Responsible Disclosure
We welcome security researchers. If you discover a vulnerability in Pixovia, please report it responsibly:
Email: security@pixovia.app PGP Key: Available on request
What to include in your report
- Description of the vulnerability and affected component
- Steps to reproduce (proof-of-concept if available)
- Potential impact assessment
- Your contact details for follow-up
Our commitments to researchers
- We will acknowledge your report within 48 hours
- We will provide an initial assessment within 7 days
- We will not pursue legal action against researchers acting in good faith
- We will credit you in our security acknowledgements (if you wish)
- We will aim to fix confirmed vulnerabilities within 30 days for high/critical severity
Scope — In scope for reports
- pixovia.app and all subdomains
- Pixovia mobile web app behaviour
- Authentication and session management
- Data access control and RLS bypass
Out of scope
- Social engineering attacks against Pixovia staff
- Denial of service (DoS) attacks
- Physical attacks against our infrastructure
- Vulnerabilities in third-party services (report those directly to the vendor)
- Issues that require physical access to a user's device
Security Certifications & Compliance
| Provider | Certifications |
|---|---|
| Supabase (AWS ap-southeast-1) | SOC 2 Type II, ISO 27001, PCI DSS |
| Vercel | SOC 2 Type II |
| Stripe | PCI DSS Level 1 |
Pixovia itself is a early-stage startup and is not yet independently certified. We follow security best practices aligned with OWASP Top 10 and intend to pursue SOC 2 Type II certification as we scale.
Questions
For general security questions that are not vulnerability reports: Email: security@pixovia.app