Security
Otack Pages — operated by Goup Space Sp. z o. o.
Effective date: 2026-05-29
1. Scope
This statement summarises the technical and organisational measures Goup Space Sp. z o. o. applies to protect data processed via the Platform, in line with GDPR Art. 32. Contact: info@otack.eu. Related documents: Privacy Policy, Data Processing Agreement.
2. Encryption in transit
All traffic between the User's browser and the Platform is encrypted via HTTPS / TLS (TLS 1.2 or higher). The session cookie WGSESS_{port} is set with Secure (HTTPS-only), HttpOnly (not accessible from JavaScript), and SameSite=Lax (CSRF mitigation).
3. AI keys
The User's API key is encrypted in the browser using PBKDF2 + AES-256-GCM (Web Crypto API). The encryption password never reaches the Operator. The encrypted blob is stored in users.ai_keys_blob (Account mode) or browser localStorage (File mode); the Operator cannot decrypt either.
When the User makes an AI request, the key is decrypted in the browser and transmitted over TLS in the X-AI-API-Key header. It is held in PHP memory only for the duration of that single request, then discarded. It is never persisted in readable form and never logged.
For asynchronous generation jobs, the key is re-encrypted with AES-256-GCM (JobEncryptor) before being placed on the Redis queue and is erased after the worker processes the job.
Limitation: the key passes through the Operator's server in memory for the duration of one request. This is not a zero-knowledge architecture. The Operator guarantees the key is never stored in readable form and never logged.
4. Passwords
Passwords are never stored in plaintext. They are hashed using bcrypt (PASSWORD_BCRYPT via PHP's password_hash()) with a per-password salt. Password-reset and e-mail verification tokens are random, single-use, and expire after a short window.
5. Access control
User authentication (users table) and administrative authentication (admins table) are fully separated. Administrative actions are written to an immutable audit log (admin_audit_log) recording the acting admin, action, entity, and state change. Rate limiting is enforced on all authentication endpoints to mitigate brute-force attempts.
6. CSRF protection
All state-changing HTTP requests are protected by anti-CSRF middleware validating a 32-byte random token bound to the User's session.
7. Queue payload encryption
Sensitive fields in Redis job queue payloads (AI keys, SFTP credentials) are encrypted with AES-256-GCM (JobEncryptor) using a random per-payload IV and AEAD tag. Sensitive fields are stripped from any job moved to the dead-letter queue.
8. Payment data
Card data (PAN, expiry, CVV) is collected and processed exclusively by Stripe Payments Europe Ltd. The Operator never receives or stores card data. Only reconciliation metadata is retained (order reference, amount, currency, status, buyer e-mail).
9. Backups, monitoring and incident response
Regular database backups are performed to enable recovery from data loss or corruption. Specific RTO/RPO targets are not published. Application and infrastructure logs are monitored for security events.
In the event of a personal data breach the Operator notifies the supervisory authority (PUODO) within 72 hours where required by GDPR Art. 33, and notifies affected data subjects without undue delay where required by Art. 34.
10. User responsibilities
- Keep your account password confidential and use a strong, unique password.
- Protect your AI-keys encryption password — the Operator cannot recover it.
- Configure your Generated Sites with appropriate security (privacy notice, cookie banner, HTTPS).
To report a security concern: info@otack.eu.
The English version is the master version. In case of any conflict between translations, the English version prevails, subject to mandatory provisions of the law applicable to the User's place of residence.
Goup Space Sp. z o. o. · ul. Hoża 86/210, 00-682 Warszawa · KRS: 0000932799 · info@otack.eu · /security