Back to home

Security

Last updated: March 20, 2026

Protecting your data is our priority. We apply a multi-layered approach to security, using industry best practices and standards.

HTTPS Everywhere
OAuth 2.0
PCI-DSS Level 1
EU Data Residency

1. Data Encryption

All data is protected by encryption at every level:

  • In transit: all traffic between your browser and TubeForge servers is encrypted using TLS 1.3. We enforce HTTPS on all pages and APIs without exception.
  • At rest: all data in the database and file storage is encrypted using AES-256. Backups are also stored in encrypted form.

2. Authentication

TubeForge uses Google OAuth 2.0 for user authentication. This means:

  • We do not store passwords — authentication is delegated to Google
  • Standard OAuth 2.0 protocol with PKCE is used
  • Session tokens are stored in httpOnly cookies with Secure and SameSite flags
  • CSRF protection via csrf tokens
  • Automatic logout for inactive sessions

3. Payment Security

Payment processing is fully delegated to Stripe — a world-leading payment platform with PCI-DSS Level 1 certification (the highest level of security in the payments industry).

  • Credit card numbers never pass through our servers
  • Payment forms are rendered via secure Stripe iframes
  • We only store the Stripe Customer ID and Subscription ID for account management
  • Stripe provides fraud protection through Stripe Radar

4. Data Residency (EU)

All TubeForge data is stored on servers physically located in the European Union:

  • Primary application servers — EU (OVH, France)
  • Database — EU
  • Backups — EU
  • File storage — EU

EU data residency ensures compliance with GDPR and other European data protection regulations.

5. Security Audits

We conduct regular security assessments:

  • Regular vulnerability scanning (automated and manual)
  • Dependency and library audits for known vulnerabilities
  • 24/7 infrastructure security monitoring
  • Automated security patch updates

6. SOC 2 Type II

TubeForge is in the process of preparing for SOC 2 Type II certification, which verifies compliance with the following principles:

  • Security — protection against unauthorized access
  • Availability — service availability
  • Confidentiality — data confidentiality
  • Processing Integrity — processing integrity
  • Privacy — personal data protection

Status: certification preparation (in progress).

7. Infrastructure Security

  • Firewall and IP-based access restrictions
  • SSH authentication by keys only (passwords disabled)
  • VPN for internal service communications (WireGuard)
  • Automated database backups
  • API rate limiting for DDoS protection
  • HTTP security headers (HSTS, CSP, X-Frame-Options)

8. Responsible Vulnerability Disclosure

We value the community's help in ensuring TubeForge's security. If you discover a security vulnerability, please report it to us:

Email: security@tubeforge.co

We ask that you:

  • Do not publicly disclose the vulnerability until it is resolved
  • Do not exploit the vulnerability to access other users' data
  • Provide sufficient information to reproduce the issue

We commit to acknowledging receipt of your report within 48 hours and providing a status update within 7 business days.

© 2026 TubeForge. All rights reserved.