SECURITY
Security Whitepaper
ViaLink is built with data protection and privacy as the top priority. Security is guaranteed end to end — in transit, at rest, and during processing.
Encryption in Transit
TLS 1.3
All API traffic and SDK data transfers are encrypted with TLS 1.3. Anything below TLS 1.2 is rejected.
HTTPS Enforced
Every endpoint accepts HTTPS only, and HTTP requests are redirected with a 301.
Authentication & Access Control
API Key Authentication
Every API call is authenticated with a per-app API Key. Keys are stored hashed with bcrypt and are never exposed in plaintext.
Rate Limiting
Per-IP and per-API-Key request limits block brute-force and DDoS attacks.
CORS Policy
An Origin-based CORS policy ensures that only allowed domains can access the API.
Data Protection
Password Hashing
User passwords are hashed and stored with bcrypt (cost factor 12). Plaintext storage is never used.
Sensitive Data Encryption
Sensitive information such as API Keys and tokens is encrypted at rest with AES-256-GCM.
Data Isolation
In a multi-app environment, data is fully and logically isolated between apps.
Fingerprint Privacy
De-identified Processing
A fingerprint is a hash combining IP, OS, device model, resolution, and more — it cannot identify an individual.
Automatic Expiry (72h TTL)
Fingerprint data is kept in Redis for only 72 hours and is automatically deleted afterward.
Optional IDFA/GAID Collection
Advertising identifiers are collected only with user consent and are used solely for deterministic matching.
Infrastructure Security
Container Isolation
Every service runs in a Docker container under the principle of least privilege.
Network Segmentation
Internal services (DB, Redis) run on a private network with external access blocked.
Automated Monitoring
Health-check failures and abnormal traffic trigger real-time alerts for immediate response.
Logging & Auditing
API Request Logging
Every API call is logged with request/response metadata (excluding payload bodies).
Access History Tracking
Audit logs are kept for key actions such as dashboard logins and link create/update/delete operations.
Log Retention
Audit logs are retained for at least 90 days and can be extended to meet compliance requirements.
Security Inquiries
If you have discovered a security vulnerability or have a security-related question, please reach out below.
help@aresjoy.com