Our Commitment: At Backlinks.tools, the security and integrity of your data is our top priority. We implement industry-standard measures and continuously improve our security posture to protect your account, data, and connected integrations.
1. Infrastructure Security
🔒
HTTPS Encryption
All data transmitted between your browser and our servers is encrypted using TLS 1.2 / TLS 1.3 (HTTPS). Unencrypted HTTP connections are automatically redirected.
🛡️
Secure Data Centres
Our infrastructure is hosted on enterprise-grade cloud providers with physical security, redundancy, and 24/7 monitoring.
🔥
Firewalls & DDoS Protection
We employ network-level firewalls and DDoS mitigation systems to protect our services from malicious traffic and abuse.
🗄️
Database Security
Databases are not publicly accessible. All access is restricted to application servers within a private network, protected by strict access control lists.
2. Account & Authentication Security
- Password Hashing: User passwords are never stored in plain text. We use bcrypt hashing with a strong salt to store credentials securely.
- Session Management: Secure, HttpOnly, and SameSite session cookies prevent session hijacking and cross-site attacks.
- CSRF Protection: All state-changing requests are protected with CSRF tokens to prevent cross-site request forgery.
- Rate Limiting: Login attempts and API requests are rate-limited to prevent brute-force and credential-stuffing attacks.
- Automatic Session Expiry: Inactive sessions are automatically terminated to reduce the risk of unauthorized access.
3. API & Third-Party Integration Security
3.1 Instagram / Meta API Integration
When you connect your Instagram Professional account, we use the official Meta OAuth 2.0 flow. Your Instagram password is never shared with or stored by Backlinks.tools.
- We request only the minimum necessary permissions (least-privilege principle).
- OAuth access tokens are stored encrypted in our database.
- Tokens are only used server-side — never exposed to the browser or third parties.
- Long-lived tokens are refreshed automatically to maintain uninterrupted service.
3.2 Payment Security
All payment processing is handled by PCI-DSS-compliant payment processors (Razorpay). We do not store, log, or have access to your full card number, CVV, or payment credentials at any time.
4. Data Protection
- Data Minimisation: We only collect and store data that is strictly necessary to provide our services.
- Access Controls: Access to production data is restricted to authorised personnel only, on a need-to-know basis.
- Data Backups: Regular encrypted backups ensure data integrity and enable recovery in the event of a disaster.
- Data Isolation: Each user's data is logically isolated to prevent cross-account data access.
5. Application Security
- Input Validation & Sanitisation: All user inputs are validated and sanitised server-side to prevent SQL injection, XSS, and other injection attacks.
- Prepared Statements: All database queries use parameterised prepared statements to prevent SQL injection.
- Content Security Policy (CSP): We enforce a strict CSP to mitigate the risk of cross-site scripting attacks.
- Dependency Management: Third-party dependencies are regularly reviewed and updated to patch known vulnerabilities.
6. Reporting a Security Vulnerability
We take all security reports seriously. If you discover a potential security vulnerability in our platform, please report it to us responsibly before public disclosure.
Responsible Disclosure: Please email us at [email protected] with the subject line "Security Vulnerability Report". Include a detailed description of the issue, steps to reproduce, and potential impact. We will acknowledge your report within 48 hours and work to resolve valid issues promptly.
We kindly ask that you:
- Do not access, modify, or delete any data that does not belong to you.
- Do not perform attacks that could harm the availability of our service.
- Do not publicly disclose the issue until we have had a reasonable opportunity to address it.
7. Security Updates & Notifications
In the event of a data breach that affects your account, we will notify you promptly via email in accordance with applicable data protection laws. Our notification will include:
- A description of what happened and what data was affected
- Steps we have taken to contain and remediate the issue
- Recommended actions for you to protect your account
8. Contact
For security-related enquiries or to report a vulnerability:
- Email: [email protected]
- Subject line: "Security Vulnerability Report" or "Security Enquiry"