Security and data protection

Last updated: Nov.11.2025
Contact: [email protected]

XPR HUB is an interactive, community-focused platform for the XPR Network. This page summarizes how we protect user data, accounts, and content created across AskHub, tutorials, polls, and other site features.

Data privacy and security at a glance

• Minimal data by design. We only collect what’s needed to deliver core features (e.g., wallet address for login, content you publish, and basic analytics).
• Encryption. All traffic is protected with HTTPS/TLS. Stored data is encrypted at rest where supported by our infrastructure.
• Access control. Admin access follows least-privilege and is protected by multi-factor authentication (MFA).
• Monitoring. We maintain logs for security events and service health; access to logs is restricted.
• Backups & recovery. Regular backups of critical application data with tested restore procedures.
• Vulnerability management. We keep OS, web server, and application dependencies updated and apply security fixes promptly.

Product security

Authentication

• WebAuth Wallet / Wallet-based login. Users sign in by proving ownership of a wallet. We do not store private keys.
• Session management. Session tokens are short-lived and bound to secure cookies with appropriate flags.

Data encryption

• In transit: TLS 1.2+ for all endpoints.
• At rest: Disk-level encryption for databases and storage where supported.

Network & infrastructure

• Hardened stack. Linux (LTS), Nginx, and a minimal service footprint with firewall rules.
• DDoS & edge protections. Traffic is routed through a modern CDN/WAF where appropriate.
• Segregation. Staging and production are logically separated; secrets are stored outside source code.

Application security

• Secure coding. Input validation, output escaping, and CSRF protections on privileged actions.
• Rate limiting. Abuse and brute-force protections on sensitive endpoints.
• File handling. Strict MIME checks and size limits for uploads.

Internal security

• Least privilege & MFA for all administrators.
• Change management with peer review on code and infrastructure changes.
• On/off-boarding processes to promptly grant and revoke access.
• Device security (disk encryption, auto-lock, OS patches) for admin workstations.

Responsible disclosure

If you believe you’ve found a security issue, email [email protected] with details and a proof of concept. Please avoid public disclosure until we confirm and fix the issue. We’ll acknowledge valid reports and keep you updated.