MA
MyAvatarZone
Trust

Security Information

Last updated: May 18, 2026

Security at MyAvatarZone is engineering work, not marketing copy.

This page describes what we actually do, how to report a problem,

and the rules we ask researchers to follow.

What's in place

The following controls are implemented today. Each one is

verifiable by inspecting our server logs and route handlers.

  • Password hashing. bcrypt with per-user salts. Plain-text

passwords are never stored.

  • Brute-force protection. Five consecutive failed sign-in

attempts trigger a 15-minute lockout for the affected email.

Lockouts are visible to admins and clear on successful auth from

a recovery path.

  • Rate limiting. Per-IP request limits on authentication and

sensitive endpoints. Aggressive sources are throttled.

  • Security headers. Content-Security-Policy, X-Frame-Options,

X-Content-Type-Options, Referrer-Policy, and Permissions-Policy

are set on every response. HSTS is honoured under HTTPS.

  • Upload validation. Magic-byte sniffing on all uploaded media.

Declared MIME types are cross-referenced with the actual byte

pattern; spoofed uploads are rejected with an audit row.

  • Webhook signatures. Cashfree webhooks are verified by

HMAC-SHA256 over timestamp + raw_body using the per-environment

secret. Mismatched, missing, or replayed signatures are rejected.

  • Admin route protection. Admin endpoints require an admin role

bound to the auth token, not an URL pattern. Cross-tenant access

attempts return 404 (no presence leak).

  • Audit logs. Privileged actions (password resets, admin

bypasses, payment events, content policy violations) are logged

with actor ID, IP, user agent, and timestamp.

  • Content policy filter. User-supplied prompts run through a

runtime filter before they reach our LLM provider. Impersonation,

copyrighted IP, deepfake framing, and explicit content are blocked

with a 403 and an admin telemetry row.

  • Secret redaction. Provider error messages and audit payloads

are passed through a sanitiser that strips API keys, tokens, and

signed URLs before they're persisted.

What we don't claim

  • We do not claim our systems are "uncrackable" or "100% secure."

No serious security team would.

  • We are not certified under SOC 2, ISO 27001, HIPAA, or PCI-DSS at

this stage. When that changes, this page will document the

certification and effective date.

  • We will not invent compliance claims to win contracts.

Responsible disclosure

If you discover a security issue, we want to hear about it. Email

admin@myavatarzone.com with a clear description and reproduction

steps. We commit to:

  • Acknowledging your report within 2 business days.
  • Providing an initial assessment within 5 business days.
  • Keeping you informed of remediation progress.
  • Crediting you publicly (with your permission) once a fix has

shipped.

Safe-harbour

If you follow this disclosure policy, we will not pursue legal action

against you for your good-faith research. To qualify for safe-harbour:

  • Make a good-faith effort to avoid privacy violations, data

destruction, or service degradation.

  • Use only your own accounts (or test accounts you create solely for

the research) when probing.

  • Give us a reasonable time to respond before any public disclosure.

Out of scope

The following are explicitly out of scope and are NOT covered by

safe-harbour:

  • Destructive testing (DROP TABLE, deletion of others' data, etc.).
  • Denial-of-service attacks at any scale, including stress testing.
  • Social engineering of MyAvatarZone employees, vendors, or

customers.

  • Physical attacks on infrastructure.
  • Reports based purely on automated scanner output without a

reproducible exploit.

  • Issues in third-party services we use (HeyGen, Cashfree, etc.) —

please report those directly to the relevant provider.

What's not yet in place

We are honest about what is still on our roadmap:

  • A formal vulnerability-disclosure programme with a CVE-style

tracker.

  • Automated dependency scanning in CI.
  • Penetration test by a third-party firm.
  • SOC 2 audit.

These are real next steps, not aspirational language. When they

ship, this page is updated on the same day.

Contact

admin@myavatarzone.com is the primary channel. For urgent

matters, copy krajapraveen@myavatarzone.com. Please include

"SECURITY" at the start of the subject so we can prioritise.