Skip to content

Security

How we protect your data and how to report security issues responsibly.

Responsible Disclosure Policy

We take security seriously. If you discover a vulnerability, we encourage you to report it so we can fix it quickly.

Report to:

[email protected]

We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days.

Scope:

In scope: *.goldy.ro (all subdomains and services)

Out of scope: Social engineering, physical attacks, denial of service, attacks on third-party services

🛡️ Safe Harbor: We will not take legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.

Security Measures

Encryption in Transit

All connections use TLS 1.3. HSTS is enforced with a maximum age of 2 years, including subdomains.

Encryption at Rest

Personal data (email addresses) is encrypted at rest using AES-256-GCM with per-record initialisation vectors.

Password Security

Passwords are hashed with bcrypt (12 rounds). We never store or log plaintext passwords.

Session Security

Sessions are bound to IP address and user agent. JWT tokens are signed with HS256.

Rate Limiting

All authentication endpoints are rate-limited. Brute force protection is active on login, registration, and password reset.

Content Security Policy

A strict CSP with nonce-based script loading prevents cross-site scripting (XSS) attacks.

Data Minimisation

We collect only the data necessary to provide the service. Pupils can use games without any account.

No Tracking

No third-party tracking cookies, no advertising pixels, no analytics profiles. Your activity is yours.

Your Data Rights (GDPR)

As a data controller based in the European Union (Romania), we comply with the General Data Protection Regulation (EU 2016/679).

  • Right of access - request a copy of your personal data
  • Right to rectification - correct inaccurate data
  • Right to erasure - delete your account and all associated data
  • Right to data portability - receive your data in a structured format
  • Right to restriction - limit how we process your data
  • Right to object - object to processing based on legitimate interest

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP).

Security Contact

For general questions, use our contact page. For security-specific issues, email us directly.

What would you like to share?

Sending as guest

Randomizer