Security

Elyto is built with security as a core requirement, not an afterthought.

  • AES-256-GCM encryption for Gmail OAuth tokens at rest
  • API keys hashed with pepper — never stored in plaintext
  • HMAC-SHA256 webhook signatures with timestamp replay protection
  • Tenant isolation on every database query
  • Rate limiting on all public and API endpoints
  • Cloudflare Turnstile on authentication flows
  • Audit logs for sensitive actions
  • Security headers: X-Frame-Options, CSP-ready, nosniff

Report vulnerabilities: security@elyto.in