Security

All payments are processed by Stripe. We never see or store your full card number — card data goes directly to Stripe's PCI-DSS Level 1 infrastructure. Payment webhooks are signature-verified on the raw request body before any account is credited.

• Passwords are hashed with bcrypt; we never store them in plaintext.
• You can sign in with Google, a one-time email link, or a password.
• Sign-up is protected against abuse with server-side risk scoring.

Data is encrypted in transit (TLS) and at rest. Workspace conversations are accessible only to the account that owns them. Provider API keys and payment secrets live only in server-side environment variables — they are never sent to the browser and never appear in logs or error messages. How we handle personal data is detailed in our Privacy Policy.

We run on Vercel (application) and Neon (PostgreSQL), both providing managed, access-controlled infrastructure with automated backups. Every balance-changing operation runs inside a database transaction so credits can never be double-spent or lost to a race.

If you discover a security vulnerability, please report it privately to security@token-wallet.ai before disclosing it publicly. Include enough detail to reproduce the issue. We will acknowledge your report, investigate promptly, and keep you updated. We do not pursue legal action against good-faith researchers who follow this policy and avoid privacy violations, data destruction, and service disruption.