transyft
Security
Last updated · 2026-04-26
Note. This page describes the security posture of the marketing site and waitlist. The Transyft product is in private beta — full security and compliance documentation will accompany general availability.
Site & waitlist
- HTTPS only. The site is served over TLS with HSTS enabled.
- Hardened headers.
X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy are set on every response.
- Data minimization. The waitlist collects only an email address. IPs are observed transiently for rate limiting and not retained beyond the rate-limit window.
- Rate limiting. Waitlist submissions are limited to 3 per IP per hour to deter abuse.
- Input validation. All emails are validated server-side before being written to storage.
Subprocessors
- Vercel — site and serverless function hosting.
- Notion — waitlist email storage.
- Upstash — Redis-backed rate-limit counters.
Reporting a vulnerability
If you believe you have found a security issue affecting Transyft, please contact us directly — reporting details will be published shortly. In the meantime, do not open a public issue or post the finding to social media until we have had a chance to investigate.
We aim to acknowledge reports within two business days. We do not currently run a paid bug-bounty program, but we are happy to credit researchers in this section once a fix is deployed.
What is in scope
transyft.com and any subdomain of it.- The
/api/waitlist endpoint.
What is out of scope
- Reports against third-party providers (Vercel, Notion, Upstash) — please report those to the providers directly.
- Theoretical issues without a demonstrated impact.
- Best-practice header recommendations that do not lead to a concrete vulnerability.
← Back to home