Policy Centre
Security

Protecting accounts and operations.

Last updated 13 July 2026. This page describes controls currently represented in the production code and how to report a security concern.

Current security controls

NetworkProduction traffic uses HTTPS/TLS, HSTS, restrictive response headers, exact-origin CORS, request-size limits, and route-specific rate limits.Protects data in transit and reduces common browser and API abuse.
AccountsPasswords use one-way hashes; verification and reset tokens are time-limited and stored as hashes.Plain-text passwords and raw reset tokens are not intended to be stored in the database or logs.
SessionsWeb sessions use Secure, HttpOnly, SameSite=Strict, host-bound cookies. iOS credentials use operating-system secure storage. Administrator sessions are short-lived.Reduces exposure to script access and limits session lifetime.
Client boundaryClients use the API and do not receive direct database access. The public API accepts the supported iOS release and rejects retired consumer Android clients.Centralises authorisation and version enforcement.
Audit and safetyAuthentication outcomes, administrator reads and actions, reports, blocks, moderation signals, and privacy requests create minimised audit records. Emergency statements use a dedicated encryption key in production.Supports accountability and incident investigation.
RecoveryDeployment tooling provides encrypted database backups, integrity checks, rotation, and restore verification.Supports recovery while limiting backup lifetime.

Security limits

No service, encryption method, or review process guarantees that an incident cannot occur. Dog Meetup does not claim that every account, user statement, park, or device is independently verified. Security depends on keeping supported app versions current, protecting administrator credentials, monitoring alerts, testing restores, rotating secrets, and responding promptly to reports. Planned controls must not be described as active until they are implemented and verified.

Report a vulnerability

Email dev@prints3d.org with the affected page or app version, safe steps to reproduce, expected impact, and any non-sensitive screenshot or log. Do not include passwords, session tokens, or another person's personal data. We will acknowledge and triage credible reports as resources permit.

Rules for responsible testing

Incident response and personal-data breaches

The response process is to contain the event, preserve relevant evidence, identify affected systems and data, rotate credentials where needed, restore safely, and document decisions. A service outage is not automatically a personal-data breach. If a breach is likely to create a risk to people, Dog Meetup assesses notification to the Irish Data Protection Commission without undue delay and, where required, within 72 hours of awareness. People affected by a likely high-risk breach are informed without undue delay when the law requires it.

Security records and privacy

Logs are designed to contain event facts such as an action, account or target identifier, timestamp, user agent, app version, and hashed IP context. They must not contain raw passwords or session tokens. Access is limited to a legitimate security, privacy, support, moderation, or legal purpose and administrator reads are themselves audited.