How we keep your account safe

The controls and cryptography that protect your subscription, your license, and your show data. No marketing fluff — just what's actually in place, described honestly.

Step-Up Authentication

Destructive account actions re-challenge you for your password, even inside an authenticated session.

Applies to cancel, change plan, resume, and device deactivation.
Also applies to change email, change password, disable TOTP, delete account.
Step-up validity window: 10 minutes. After that, the next destructive action re-prompts.
OAuth-only accounts with NO_PASSWORD_SET are routed to set a password first.
Five failed attempts temporarily lock the account for 15 minutes.

Session Tokens & Rotation

Sessions are signed with Ed25519 and bound to their original context. Nothing about your session is guessable from a cookie alone.

Ed25519 session tokens — modern elliptic-curve signatures, not shared secrets.
Dual-key rotation — we can rotate the signing key without invalidating live sessions.
Session binding — the token is tied to user agent + IP class; hijacking a cookie to a different context breaks it.
Server-enforced token_changed / banned checks on every request.

Two-Factor Authentication

TOTP (RFC 6238) support for every account. Enrollment requires step-up; removal also requires step-up — you can't lower your own security bar silently.

Standard 6-digit TOTP codes, compatible with 1Password, Authy, Google Authenticator, Yubico Authenticator.
Recovery codes issued at setup — each usable once, single-use tracking server-side.
TOTP disable requires current TOTP + step-up password; both prevent one-shot compromise.

Licensing & Device Control

Your license is cryptographically bound to your devices and verifiable offline, with drift and rollback detection.

Licenses signed by an Ed25519 server key; the desktop app ships the public key and verifies locally.
Two-device limit per subscription — deactivation from the dashboard frees a slot immediately.
7-day offline grace period — shows keep running without internet for a full week at a time.
Clock-rollback detection — changing your system clock doesn't extend the grace window.

Transport & Data

Everything in transit is TLS-terminated at our edge; nothing sensitive is logged.

HTTPS-only with HSTS (includeSubDomains, preload-eligible).
Strict Content-Security-Policy with script-src allowlisting and no unsafe-eval.
Payment data is never handled by us — Paddle is the merchant of record and the card tokenizer.
Passwords are hashed with Argon2id using parameters tuned above the OWASP 2024 baseline.

Responsible Disclosure

We want to hear from security researchers. Our policy is published as security.txt per RFC 9116.

Contact: security@cuesync.live
Expected acknowledgement window: 72 hours.
No safe-harbor paperwork required for good-faith research on production infrastructure.
See /.well-known/security.txt for the canonical disclosure record.

Infrastructure Hygiene

We run a small, auditable surface — fewer moving parts, fewer attack vectors.

Static site + JAM stack APIs. No long-running services with privileged secrets on the public web.
Background workers (email bounce auto-recovery, dunning state, session cleanup) are Cron-driven and idempotent.
Observability via Sentry (errors + replays, no PII) and PostHog (product analytics, consent-gated).
Dead-letter queue visibility in the account dashboard when a user action fails to complete.

Compliance & Data Rights

We comply with GDPR, CCPA, and the core tenets of responsible data stewardship.

You can export your account data and license history on request via support@cuesync.live.
You can delete your account — identity rows, session tokens, and device records are purged. Billing history is retained only as long as legally required, then purged.
Cookies are consent-gated. Analytics and ads trackers do not load until you accept.

Found something concerning? Email security@cuesync.live — we read every report and respond within 72 hours. Policy: security.txt.