Security — WeblyChat

Section 1

Our Commitment

At WeblyChat, protecting our clients' data is a core responsibility — not an afterthought. We are a small, focused team and we take a pragmatic, defence-in-depth approach to security: using reputable managed infrastructure, keeping our attack surface small, and applying the principle of least privilege throughout the stack.

This page describes the technical and organisational measures we have in place to keep the WeblyChat service and your data secure. If you discover a vulnerability or have a security concern, please see Section 6 (Vulnerability Disclosure).

Section 2

Infrastructure Security

The WeblyChat service runs entirely on managed cloud infrastructure operated by Cloudflare and other reputable providers. We do not operate our own physical servers.

Cloudflare

The WeblyChat marketing website and client account portal are hosted on Cloudflare Pages. All traffic is served through Cloudflare's global network, which provides automatic DDoS mitigation, Web Application Firewall (WAF) protection, and TLS termination.

API and backend

The backend API is deployed on managed cloud infrastructure with automatic scaling and no persistent public-facing SSH access. All deployments are automated and do not require manual server logins. Access to production infrastructure is restricted to authorised personnel only and requires strong authentication.

Network isolation

Database and internal services are not exposed to the public internet. Internal communication between services takes place over private networks. Firewall rules are kept as restrictive as possible and reviewed regularly.

Section 3

Data Encryption

In transit

All communications between your browser and the WeblyChat service are encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints; plain HTTP requests are redirected to HTTPS. We use HSTS (HTTP Strict Transport Security) headers to instruct browsers to always connect securely.

At rest

Data stored in our database is encrypted at rest using the encryption capabilities provided by the underlying managed database service. Backups are also encrypted.

Session tokens

Session tokens are randomly generated strings stored only in your browser's localStorage. They are transmitted over TLS and are never logged or stored in plain text in our databases. Tokens expire automatically after 7 days.

Section 4

Authentication and Access Control

User authentication

WeblyChat uses Google OAuth 2.0 as its sole sign-in method. We do not store passwords. Authentication is delegated entirely to Google, which means your credentials are never transmitted to or stored by WeblyChat. We receive only your name and email address from Google after a successful authentication.

API authorisation

Every request to the WeblyChat API must include a valid session token. Tokens are validated on each request. Requests without a valid token are rejected with a 401 response. There is no way to access another user's data through the API.

Internal access

Access to production systems, databases, and customer data is restricted to authorised personnel on a need-to-know basis. We follow the principle of least privilege: each team member and each service component is granted only the minimum permissions required to perform its function.

Section 5

Application Security

Secure development practices

We follow secure coding practices in our development process. Dependencies are kept up to date and reviewed for known vulnerabilities. We use automated tooling to flag potential security issues during development.

Input handling

All user-supplied input is validated and sanitised before use. We protect against common web vulnerabilities including cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF).

Security headers

The WeblyChat website sets the following security-related HTTP response headers on all pages:

Strict-Transport-Security — enforces HTTPS for future visits
X-Content-Type-Options: nosniff — prevents MIME-type sniffing
X-Frame-Options: DENY — prevents clickjacking via iframes
Referrer-Policy: strict-origin-when-cross-origin — limits referrer information sent to third parties
Permissions-Policy — restricts access to browser features not used by the service

Third-party dependencies

We minimise our use of third-party scripts and libraries on the marketing website. Fonts are self-hosted; no third-party tracking or advertising scripts are loaded. This reduces the supply-chain risk to our visitors.

Section 6

Vulnerability Disclosure

If you believe you have found a security vulnerability in WeblyChat, please report it to us responsibly. We will investigate all genuine reports promptly and keep you informed of our progress.

We operate a responsible disclosure policy. We ask that you:

Report the vulnerability to us privately before disclosing it publicly, giving us a reasonable time to investigate and remediate (we ask for at least 30 days).
Do not access, modify, or delete data belonging to other users.
Do not perform denial-of-service attacks or any action that could disrupt the service for other users.
Do not use automated scanning tools against our production infrastructure without prior agreement.

To report a security concern, please use our dedicated security reporting page:

Report a Security Concern →

Alternatively, you can email us directly at hola@weblychat.eu with the subject line "Security Vulnerability Report". Please include a clear description of the issue, the steps to reproduce it, and the potential impact.

We do not currently offer a bug bounty programme, but we do acknowledge good-faith security researchers and appreciate responsible disclosure.

Section 7

Incident Response

In the event of a confirmed security incident that affects personal data, we follow our internal incident response procedure:

Contain: Isolate the affected system or vector as quickly as possible to prevent further exposure.
Assess: Determine the scope of the incident — what data was affected, how many users, and the likely cause.
Remediate: Fix the underlying vulnerability and verify the fix.
Notify: Where required by the GDPR, notify the Spanish Data Protection Authority (AEPD) within 72 hours of becoming aware of a personal data breach. Affected users will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Review: Conduct a post-incident review to understand root causes and prevent recurrence.

We maintain logs sufficient to support incident investigation. Server logs are retained for up to 30 days as described in our Privacy Policy.

Section 8

Contact

For security-related questions, vulnerability reports, or any concerns about the security of the WeblyChat service, please contact us:

Email: hola@weblychat.eu
Security report form: report-security.html

Security at WeblyChat