LayzerLayzer

Security Policy

Last updated

Last updated May 07, 2026

1. Introduction

Layzer is committed to protecting the security of our users' data and our platform. This Security Policy outlines our practices and procedures for maintaining security, and how to report security issues to us.

2. Reporting Security Issues

We welcome security researchers, ethical hackers, and technology enthusiasts to participate in our responsible disclosure programme. We provide safe harbour for security testing conducted in good faith and may offer recognition for vulnerability discoveries based on severity and potential impact.

If you discover a security vulnerability, please report it immediately to security@layzer.ai. Include:

  • A detailed description of the vulnerability
  • Clear steps to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code
  • A potential impact assessment
  • Your contact information for follow-up

We commit to:

  • Acknowledging receipt within 1 business day
  • Working with you to validate and resolve the issue
  • Giving appropriate credit if desired

We value the security community's contributions in keeping Layzer secure. All legitimate reports will be investigated and addressed with appropriate urgency.

3. Our Security Practices

3.1. Data Protection

  • All data is encrypted in transit using TLS (HTTPS)
  • We collect only the personal information necessary to provide the Services, adhering to data minimisation principles
  • User data is stored with appropriate access controls in our database (PlanetScale) and file storage (Cloudflare R2)
  • Sensitive credentials (such as API keys for user-registered MCP servers) are encrypted at rest

3.2. Authentication

  • Authentication is provided through industry-standard OAuth and email/password flows via Better Auth
  • Two-factor authentication (2FA) is supported for accounts that opt into it
  • Sessions are managed securely, with rotation and expiry

3.3. AI Provider Communication

  • Communication with third-party AI providers (OpenAI, Anthropic, Google, and others) is encrypted in transit
  • We do not retain copies of AI provider credentials beyond what is required to call their APIs
  • See our Privacy Policy for details on what content is sent to AI providers and how those providers handle it

3.4. Infrastructure

  • Regular security updates to our application code and dependencies
  • Monitoring for suspicious activity, abuse of AI features, and other anomalies
  • Security-focused providers for hosting (Vercel), database (PlanetScale), and storage (Cloudflare R2)

4. User Responsibilities

To help maintain the security of your account:

  • Use authentication providers you trust (Google, GitHub, Discord, etc.)
  • Keep your authentication provider account secure with a strong password and 2FA enabled
  • Enable 2FA on your Layzer account if you sign in with email and password
  • Never share your active Layzer session with others
  • Avoid submitting confidential, regulated, or sensitive content to the Services (see our Terms of Service)
  • Report suspicious activity to security@layzer.ai immediately

5. Updates to This Policy

We may update this Security Policy from time to time. When we do, we will update the "Last updated" date at the top of this page.