C
aiclonechats.com
← Back to home
aiclonechats.com · how we protect you

Security

Last updated · February 11, 2026

Security at AI Clone Chats is treated as a product feature, not a checkbox. Because the service handles identity-style content, voice, and payments, we apply defence-in-depth across the stack — from frontend session handling to atomic credit deduction, signed payment webhooks, and admin observability dashboards.

Reporting a vulnerability
Found a bug that could compromise an account, leak data, or bypass payment? Email admin@aiclonechats.com with the subject line SECURITY. Please give us a reasonable window to remediate before public disclosure. We acknowledge reports within 72 hours and prioritize remediation.

01Account protection

  • Password hashing: bcrypt with a per-user salt and a tuned cost factor. Raw passwords are never logged, persisted, or transmitted to any LLM provider.
  • Session tokens: opaque random strings, rotated on login and logout, validated server-side against a session record on every protected request.
  • Brute-force defence: failed-login attempts are counted per email + IP-hash. Repeated failures trigger temporary lockouts and admin alerts.
  • OAuth: Google sign-in uses the auth-code flow with server-side token exchange and ID-token verification. We never receive your Google password.
  • Password reset: single-use, time-limited tokens; reset emails go via Resend over TLS; the raw token is never logged.
  • Admin access: role-based; sensitive admin endpoints additionally check an explicit admin email allow-list defined in environment variables.

02Secure payments

  • No card storage: we never see, store, or transmit your card number, CVV, UPI PIN, or bank credentials. The payment provider (Cashfree in production) handles all sensitive payment data on PCI-DSS-compliant infrastructure.
  • Signed webhooks: payment confirmations arrive via HTTPS webhooks signed with HMAC-SHA256 keyed on a secret known only to us and the gateway. Webhooks with invalid signatures are rejected and logged.
  • Idempotency & deduplication: credit grants are tied to a unique internal order ID. Duplicate webhook deliveries are detected and suppressed.
  • Atomic deductions: credits are debited from your balance at the moment a generation succeeds, using an atomic database operation. Failed generations auto-refund.
  • Audit trail: every payment, credit grant, deduction, and refund is logged with timestamp, user ID, and provider order ID.

03Data encryption

In transit. All traffic between you and aiclonechats.com is encrypted with TLS 1.2 or higher, with modern cipher suites and HSTS enforcement. Traffic to our payment, email, and AI providers is similarly encrypted end-to-end.

At rest. Our database storage is encrypted at rest via the underlying managed disk infrastructure. Backups are encrypted. Sensitive secret values (API keys, webhook secrets) are stored as environment variables in our deployment platform, never committed to source control.

Hashing. Passwords use bcrypt. IP addresses, where retained for fraud detection, are one-way hashed before long-term storage.

04Uploaded media protection

  • Uploaded images and audio are scanned for size, format, and basic safety signals before storage.
  • Reference media routed to AI providers (e.g. fal.ai for lipsync) is shared only for the duration of the generation and not retained by the provider beyond their operational windows.
  • Access to uploaded media is gated by user ID and clone ownership — random media URLs are not enumerable.
  • You can delete any uploaded media from Privacy Settings or by emailing us.

05Abuse prevention

We run several layers of abuse detection:

SurfaceDefence
AuthBrute-force lockouts, password-reset rate limits, email-verification gate for paid features
LLM promptsSafety classifiers on every prompt; refusals logged to admin safety dashboard
Voice & lipsync uploadsFormat / size / duration limits + content moderation
PaymentsWebhook signature checks, replay protection, duplicate-order suppression
APIPer-user and per-IP-hash rate limiting on hot endpoints
AdminRole-based + email allow-list, every action logged

06Vulnerability reporting

We welcome coordinated disclosure from security researchers. To report:

  1. Email admin@aiclonechats.com with the subject SECURITY.
  2. Include reproduction steps, an estimate of impact, and any logs / screenshots that help us triage.
  3. Do not publish the issue publicly or share it with third parties until we have had a reasonable window to remediate (typically 90 days, shorter for critical issues).
  4. Do not access, modify, or exfiltrate data belonging to other users while testing.

We will acknowledge your report within 72 hours, work with you on fixes, and credit you in our release notes if you wish. We do not currently run a paid bug-bounty program but appreciate responsible reporting and may offer ex-gratia recognition for high-impact reports.

07User safety tips

  • Use a unique, strong password (12+ characters). A password manager is your friend.
  • Prefer "Continue with Google" if you already trust that provider; the auth-code flow keeps your credentials away from us.
  • Never share your session_token from browser storage with anyone — it is equivalent to your password while valid.
  • Verify the URL bar reads https://aiclonechats.com before entering payment information.
  • Only upload media you own or have written consent for. Treat AI-generated voice and avatars as production-grade — disclose them as AI-generated when sharing externally.
  • If you suspect your account has been compromised, log out everywhere via Privacy Settings and email us immediately.

08Contact

Security questions or reports: admin@aiclonechats.com (subject: SECURITY).

Questions, requests, or concerns? Email admin@aiclonechats.com or krajapraveen@aiclonechats.com. For security-only reports, see our Security page.