The practical security measures behind WarrantySafe.

Passwords

Passwords are never stored in readable form. They are hashed using PBKDF2-SHA256 with a unique random salt and 120,000 iterations.

Sessions

Logged-in sessions use a cryptographically signed cookie. In production, the cookie is marked `Secure`; it is `HttpOnly`, expires after 30 days, and is rejected if it is forged, tampered with, or expired.

Uploaded files

Uploaded bills, warranty cards, and product photos are stored on a private server and are served only through authenticated routes tied to the owning account.

• Files are not stored in a publicly accessible bucket.
• Another user cannot retrieve your files by guessing a URL.
• Files are removed when you delete the associated product or account record.

Data in transit

Communication between browser and server is intended to run over HTTPS in production. Data sent to the external AI extraction provider is also transmitted over HTTPS.

AI processing

When you use the photo-capture flow, the submitted image may be sent to an external AI API for structured extraction. That is the main point where image data leaves the WarrantySafe server.

What we do not do

• We do not use third-party analytics scripts.
• We do not load advertising code.
• We do not store passwords in plain text or reversible form.
• We do not expose a public admin view for browsing user content.

Reporting a vulnerability

If you discover a security issue, report it responsibly to sales@qubixvirtual.in with the subject line Security Vulnerability. We aim to acknowledge valid reports within 72 hours.