Security

Security you can trust

Bank-grade security across every product in the ecosystem. Your data, your control.

Two-Factor Authentication

TOTP-based 2FA shared across all products. Set up once, protected everywhere. Rate-limited to prevent brute force.

Session Timeout

Bank-style 15-minute inactivity timeout with 60-second warning. Automatic sign-out protects unattended sessions.

Encryption

AES-256 encryption at rest, TLS 1.3 in transit. TOTP secrets encrypted. Payment data never touches our servers (Stripe handles it).

Role-Based Access

Granular permissions: owner, admin, member, viewer. Role hierarchy prevents privilege escalation. Invites restricted by role level.

Audit Logging

Complete audit trail of authentication events, subscription changes, and admin actions. Ecosystem-wide compliance monitoring.

Infrastructure Security

Google Cloud Run with non-root containers. Secrets in Google Secret Manager. Helmet security headers. Global rate limiting.

Security FAQ

How does MyAndGo protect my account?

MyAndGo uses Firebase Auth for identity, optional TOTP-based 2FA, bank-style session timeouts, role-based access control, and rate limiting on all sensitive endpoints.

Where is my data stored?

All data is stored in Google Cloud's Sydney region (australia-southeast1). See our Australian Data Residency page for details.

Does MyAndGo store credit card details?

No. All payment processing is handled by Stripe. Card numbers, CVVs, and expiry dates never touch our servers.

Has MyAndGo been security audited?

Yes. MyAndGo undergoes regular security audits covering authentication, authorisation, input validation, secrets management, rate limiting, and infrastructure configuration.

Secure by default

Every account is protected from day one. No security add-ons required.

Get Started