Security
Elyto is built with security as a core requirement, not an afterthought.
- AES-256-GCM encryption for Gmail OAuth tokens at rest
- API keys hashed with pepper — never stored in plaintext
- HMAC-SHA256 webhook signatures with timestamp replay protection
- Tenant isolation on every database query
- Rate limiting on all public and API endpoints
- Cloudflare Turnstile on authentication flows
- Audit logs for sensitive actions
- Security headers: X-Frame-Options, CSP-ready, nosniff
Report vulnerabilities: security@elyto.in