ShowRec Security Policy
Effective June 17, 2026
We take the security of your recordings and account seriously. This page summarizes the measures we use and how to report a vulnerability.
Data in transit & at rest
- All traffic is served over HTTPS/TLS; the API and web app share one origin so session cookies stay first-party.
- Recordings and thumbnails are stored on Cloudflare R2 object storage and served via short-lived signed URLs.
- Private and password-protected videos are access-controlled on every request.
Authentication
- Sign-in is passwordless (email magic link) or Google OAuth — we never store passwords.
- Sessions use signed, expiring tokens (JWT) delivered as secure, HTTP-only cookies.
- Admin actions are gated by a server-side allow-list.
Privacy by design
- Recording happens only when you start it, using official browser/OS capture APIs.
- Viewer IP addresses are hashed, never stored in raw form.
- Payment card data is handled entirely by Paddle; we never see or store it.
- The desktop app window is excluded from screen capture so controls never leak into a recording.
Platform hardening
- Rate limiting on authentication and upload endpoints.
- Server-side enforcement of plan limits (recording length, quality, storage, quotas).
- Automated, encrypted database backups.
- Optional error monitoring with no recording content in logs.
Reporting a vulnerability
If you believe you’ve found a security issue, please email showrec.io@gmail.com with details and steps to reproduce. Please give us a reasonable chance to investigate and fix the issue before any public disclosure. We appreciate responsible disclosure.