Last updated March 2, 2026

Security

We take reasonable technical and organisational measures to protect your wedding planning data. This page summarises our current security practices based on how the product is built today.

Encryption and Tokens

  • Session tokens are stored as hashes, not raw tokens.
  • Invite links use token checks to protect access.
  • Sensitive secrets (API keys, signing keys) are stored in environment variables.

Access Controls

  • Authenticated sessions are required for administrative routes.
  • Session cookies are configured with secure settings in production.
  • Wedding data access is scoped by membership and role.
  • Public RSVP and invite links are protected by token checks.

Data Handling

  • Uploads are limited to image types and file size thresholds.
  • Deleted records are soft-deleted for wedding data and files.

Monitoring and Logging

  • Email delivery events are logged for operational visibility.
  • Performance monitoring and analytics may be enabled in production.

Third-Party Security

We rely on third-party providers for core service functions such as hosting, email delivery, storage, analytics, and authentication. They operate their own security programmes and controls.

Incident Reporting

Report suspected security issues to amorly.weddings@gmail.com. We will acknowledge reports and work to resolve issues promptly.

Vulnerability Disclosure

Please provide detailed steps to reproduce vulnerabilities and avoid accessing or modifying user data without permission. We do not currently operate a public bug bounty programme.

Backups and Recovery

We rely on our infrastructure providers’ resilience features and continue to review our recovery processes as the product evolves.

Not legal advice. Please have counsel review for your specific circumstances.