TalesNTokens

Security Policy

Last updated: 17 June 2026

This Security Policy describes how TalesNTokens protects accounts, User Content, payments, marketplace activity, infrastructure, and data. It should be read with the Privacy Policy, Terms of Service, Cookie Policy, Trust and Safety Policy, and Data Retention Policy.

Definitions

"Security incident" means an event that compromises or may compromise confidentiality, integrity, availability, authentication, payments, User Content, or platform operations.

"Vulnerability" means a weakness that could be exploited to affect the Platform.

"Encryption in transit" means protecting data while it moves between users, TalesNTokens, and processors.

"Encryption at rest" means protecting stored data using provider storage protections.

Scope

This policy applies to the website, Nuxt app, Supabase database and storage, Stripe payments, Resend email, Fly.io socket services, Cloudflare edge services, WebSockets, local browser storage, marketplace systems, creator uploads, public and private rooms, sandbox sessions, and bridge features.

Encryption In Transit

TalesNTokens uses HTTPS/TLS for web traffic and secure WebSocket connections where deployed. Stripe Checkout is served over HTTPS by Stripe. Supabase, Resend, Fly.io, and Cloudflare provide encrypted transport for their services according to their platform configurations.

Users should not submit account, payment, or private room data over untrusted networks without normal device protections.

Encryption At Rest

Stored data is protected by the storage and database security controls of TalesNTokens' infrastructure providers, including Supabase database and storage protections, Stripe payment infrastructure, Resend email systems, Fly.io infrastructure, and Cloudflare logs/caching where used. TalesNTokens should enable provider encryption-at-rest features, backup protections, and access controls before public launch.

Authentication Protections

The current platform uses Supabase magic-link authentication. TalesNTokens does not directly store plaintext passwords. Supabase handles authentication tokens and session management. The application stores Supabase session data in localStorage for authenticated sessions and uses an HttpOnly tnt_sandbox cookie for sandbox sessions.

Before public launch, TalesNTokens should add or verify:

  • account email verification and session revocation controls;
  • optional multi-factor authentication where supported;
  • device/session management;
  • rate limiting for sign-in, invite validation, reporting, uploads, and checkout;
  • secure account deletion and export flows;
  • protection against account enumeration.

Password Handling

The audited implementation uses passwordless magic-link sign-in. If password login is added later, passwords must be hashed with an industry-standard adaptive hashing algorithm through a trusted authentication provider. TalesNTokens must never store plaintext passwords.

Infrastructure Protections

TalesNTokens uses or plans to use:

  • Cloudflare for DNS, edge security, caching, and basic attack mitigation;
  • Supabase for database, authentication, and storage;
  • Fly.io for real-time WebSocket services;
  • Stripe for payment processing;
  • Resend for transactional email;
  • Nuxt/Nitro server routes and APIs;
  • file-size limits and storage quotas for uploads.

Required launch controls include:

  • server-side authorization on every room, asset, note, gameboard, character, marketplace, and creator endpoint;
  • malware scanning and MIME validation for uploads;
  • SVG handling restrictions or sanitisation;
  • signed URLs for private assets;
  • audit logs for account, creator, payment, moderation, and admin actions;
  • secrets management and key rotation;
  • least-privilege service roles;
  • backup restore testing;
  • dependency update monitoring;
  • logging and alerting for security events.

Incident Response Process

When TalesNTokens identifies a security incident, it will:

  1. Triage and classify the incident.
  2. Contain the issue and prevent further harm.
  3. Preserve relevant logs and evidence.
  4. Assess affected data, users, processors, and legal obligations.
  5. Notify affected processors and payment providers where needed.
  6. Notify regulators, including the ICO, where a notifiable personal data breach occurs.
  7. Notify affected users without undue delay where required.
  8. Remediate the root cause.
  9. Review lessons learned and update controls.

Where UK GDPR or EU GDPR applies, notifiable personal data breaches must be reported to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of awareness.

Vulnerability Reporting Process

Security researchers should email security@talesntokens.com with:

  • a summary of the issue;
  • affected URL, endpoint, route, or asset;
  • reproduction steps;
  • potential impact;
  • screenshots or logs if safe to share;
  • researcher contact details.

Researchers must avoid accessing, modifying, deleting, exfiltrating, or publicly disclosing data. Do not perform denial-of-service testing, spam, phishing, physical attacks, social engineering, or tests against third-party systems.

TalesNTokens aims to acknowledge vulnerability reports within 5 business days and provide status updates for valid issues.

User Obligations

Users must:

  • keep email accounts and devices secure;
  • report unauthorized access promptly;
  • avoid sharing account sessions or magic links;
  • avoid uploading malware or exploit payloads;
  • avoid probing, scraping, scanning, or attacking the Platform;
  • follow responsible disclosure rules.

Platform Obligations

TalesNTokens will:

  • maintain reasonable technical and organisational measures;
  • use least-privilege access controls;
  • protect secrets and service keys;
  • patch critical vulnerabilities promptly;
  • limit access to personal data to authorised personnel and processors;
  • maintain incident response and breach notification procedures;
  • review security controls before launch and after major architecture changes.

Contact Procedures

Security reports: security@talesntokens.com Privacy incidents: privacy@talesntokens.com Safety emergencies: safety@talesntokens.com

Enforcement Procedures

TalesNTokens may suspend accounts, revoke sessions, block IPs, remove content, disable marketplace listings, quarantine uploads, rotate keys, notify providers, or refer activity to authorities when security abuse is detected.

Appeals Process

Users may appeal security enforcement decisions by contacting appeals@talesntokens.com within 30 days. Appeals should include account email, enforcement notice, relevant IP/device information if known, and an explanation.