Security

01

Authentication & Access

NeonNeuron uses Firebase Authentication to provide a secure, battle-tested authentication layer for all user accounts.

• User passwords are securely hashed using industry-standard algorithms managed by Firebase Auth; plaintext passwords are never stored
• Email verification via OTP (One-Time Password) is required during registration to confirm account ownership
• OTP codes are time-limited and automatically invalidated after use or expiry to prevent replay attacks
• JWT (JSON Web Tokens) are issued upon successful authentication and validated on every protected request
• Session tokens are securely stored in the browser and automatically refreshed by Firebase Auth
• Failed login attempts are monitored and rate-limited by Firebase to prevent brute-force attacks
• Users can sign out from their account at any time, immediately invalidating their active session

02

Data Encryption

All data handled by NeonNeuron is protected by encryption at multiple levels.

• In Transit: All communication between your browser and the NeonNeuron platform is encrypted using TLS 1.2+ (HTTPS). No unencrypted HTTP connections are permitted.
• At Rest: Data stored in Google Cloud Firestore is encrypted at rest using Google-managed encryption keys with AES-256 encryption.
• Authentication Tokens: JWT tokens are cryptographically signed to prevent tampering and unauthorized access.
• OTP Codes: Verification codes are transmitted over encrypted email channels and stored with expiration timestamps in Firestore.

03

Infrastructure

NeonNeuron is built on trusted, enterprise-grade cloud infrastructure.

• Hosting: The platform is hosted on Vercel, which provides automatic HTTPS, DDoS protection, and global CDN distribution for fast and secure access worldwide.
• Database: Google Cloud Firestore serves as the primary data store, benefiting from Google Cloud's SOC 2, ISO 27001, and GDPR-compliant infrastructure.
• Authentication: Firebase Auth runs on Google Cloud infrastructure with high availability, automatic scaling, and built-in security features.
• Email Delivery: EmailJS is used for transactional email delivery (OTP codes, invitations) over secure connections.
• All infrastructure components are regularly updated and patched by their respective providers to address known vulnerabilities.

04

Role-Based Access Control

NeonNeuron enforces a strict three-tier role-based access control (RBAC) system across all workspaces.

• Admin: Full control over the workspace, including managing teams, projects, channels, members, roles, invites, workspace settings, data export, and analytics. The workspace creator is automatically assigned the Admin role.
• Manager: Can manage team members, create and edit projects and channels, schedule events, and view team data. Cannot delete the workspace, manage billing, or change workspace-level settings.
• Member: Can participate in assigned channels, send messages, view project progress, and access team information. Cannot create or manage teams, projects, or channels.

Role assignments are managed by Admins and enforced at both the application layer and Firestore security rules to prevent privilege escalation.

05

Message Security

Messages within NeonNeuron channels are protected by multiple security measures and automatic lifecycle management.

• All messages are transmitted over encrypted HTTPS connections in real time
• Messages are stored in Firestore with workspace-level and channel-level access controls
• Only authenticated users with the appropriate role and workspace membership can read or send messages in a channel
• Messages from Member-role users auto-expire after 7 days; messages from Admin and Manager-role users auto-expire after 10 days
• Expired messages are permanently deleted from the database and cannot be recovered
• Message auto-expiry ensures that sensitive communications do not persist indefinitely, reducing the risk of data exposure

06

Invite Security

The NeonNeuron invite system is designed with multiple layers of security to prevent unauthorized access to workspaces and teams.

• Workspace invitations are sent via email using EmailJS and contain time-limited invite links
• Each team has a unique team password that invitees must enter to join, providing a second verification layer beyond the invite link
• Invite links expire after a defined period and cannot be reused once accepted or expired
• Only Admin and Manager-role users can send workspace invitations
• Admins can revoke pending invitations at any time before they are accepted
• The invite system logs all invitation activities for audit purposes

07

Data Isolation

NeonNeuron operates as a multi-tenant platform with strict data isolation between workspaces.

• Each workspace's data (teams, projects, channels, messages, members) is logically isolated in Firestore using workspace-specific document paths
• Firestore security rules ensure that users can only access data within workspaces they are members of
• Cross-workspace data access is strictly prohibited at the database level
• Admin users of one workspace cannot view, modify, or access any data belonging to another workspace
• Account deletion triggers complete removal of all workspace data owned by that account, with no residual data remaining in other workspaces

08

Incident Response

NeonNeuron maintains an incident response process to address security events promptly and transparently.

• Security incidents are investigated immediately upon detection or report
• Affected users will be notified via email within 72 hours of confirming a data breach that impacts their personal information
• Compromised accounts will be temporarily suspended to prevent further unauthorized access
• Post-incident analysis is conducted to identify root causes and implement preventive measures
• Relevant regulatory authorities will be notified as required by applicable law
• Incident reports and remediation steps are documented internally for compliance and audit purposes

09

Responsible Disclosure

We value the security research community and encourage responsible disclosure of any vulnerabilities discovered in the NeonNeuron platform.

• If you discover a security vulnerability, please report it to admin@neonneuron.online with the subject line "Security Vulnerability Report"
• Include a detailed description of the vulnerability, steps to reproduce, and potential impact
• Do not publicly disclose the vulnerability until we have had reasonable time to investigate and remediate
• Do not exploit the vulnerability to access, modify, or delete data belonging to other users
• We will acknowledge receipt of your report within 3 business days and provide an estimated timeline for resolution
• We appreciate and recognize the efforts of security researchers who help us keep the platform safe

10

Contact Information

For security-related questions, concerns, or to report a vulnerability, please contact us: