@
yap@me
privacytermssecurityabout
how we keep this safe —

security.

last updated · may 17, 2026

we treat your creator account like a bank, and your senders' anonymity like a constitutional right.

01 · the architecture

  • all infra is in eu-west-2 (london) and replicated to us-east-1 for edge speed.
  • databases are encrypted at rest (aes-256) and in transit (tls 1.3).
  • row-level security on every user-scoped table in postgres. no creator can read another creator's data via the api, ever.
  • no shared infrastructure between yap moderation and user data — separate vpcs.

02 · how we authenticate you

  • passwords (when used) hashed with argon2id, never md5, never sha-anything.
  • session tokens are short-lived (1 hour) jwts with sliding refresh.
  • magic links expire in 15 minutes, single-use, scoped to the email's most-recent device.
  • google/apple sign-in via standard oidc.
  • 2fa available via authenticator app from any settings screen.

03 · what we encrypt

yap text, voice notes, image attachments, and analytics: all encrypted at rest with managed keys (kms). keys rotate quarterly.

device fingerprints are doubly hashed: once on the client (sha-256), again on the server with a peppered salt. we can match fingerprints, but if our database leaked an attacker still can't reverse them to a user.

04 · in transit

  • tls 1.3 everywhere. hsts preloaded. no http fallback.
  • certificate transparency monitoring active.
  • strict csp on every page. no inline scripts in production.

05 · how we stop abuse

  • per-fingerprint rate limits. 10 yaps/hour to any single creator. enforced at the edge.
  • cross-creator abuse detection. a fingerprint that gets blocked by 10+ creators in 24 hours is shadow-banned platform-wide.
  • captcha challenge. invisible cloudflare turnstile on every send. visible challenge for suspicious traffic.
  • ai pre-filtering. every yap classified before delivery. ~400ms.

06 · bug bounty

we pay for vulnerability reports. real money.

  • critical (rce, sender de-anonymization, mass data exfiltration): $5,000
  • high (account takeover, privilege escalation): $1,500
  • medium (xss, csrf, ssrf): $500
  • low (everything else useful): $100

report to security@yapat.me. pgp key on request. we'll acknowledge within 48 hours, fix critical within 7 days, and credit you publicly (unless you'd prefer not).

still here —

get your own yap box.

claim yapat.me/@you
© 2026 yap@me·privacytermssecurityabout