Security

Last updated: April 2026

Transport

All traffic to VerseIQ is served over HTTPS with TLS 1.2+. API requests to Spotify and other partners are made over secure channels; we do not relay traffic in the clear.

Data at rest

Account credentials are hashed with bcrypt. Session tokens are stored in httpOnly, secure cookies scoped to the application domain. Operational databases live on a private network and are not exposed publicly.

Access control

Internal admin tooling is gated behind authenticated sessions and basic-auth at the edge. Production credentials are rotated and never committed to source control.

Third-party scope

VerseIQ uses the Spotify Web API with the minimum scopes required to perform catalog analysis. We do not request or store private listening history.

Reporting a vulnerability

If you believe you have found a security issue, please email security@useverseiq.com. We aim to acknowledge reports within two business days and will work with researchers to remediate valid findings.