Security you can trust

Afterlight is built with security and privacy at the core — from encryption at rest to audit logging and server-side permission checks.

Vault content, future messages, and business credentials are encrypted with AES-256-GCM using per-record keys derived from your application key.

Passwords hashed with Argon2id. Sessions use HttpOnly cookies with SameSite protection.

Uploads stored outside the web root with authenticated download endpoints and ownership checks.

Stripe handles all payment data. Webhook signatures are validated server-side; plan prices are never trusted from the browser.

Significant actions — including billing changes — are recorded with metadata for review.

All state-changing requests require valid CSRF tokens.