Security & Compliance

Last updated: 1 June 2025

Security is not an afterthought at Visidaily. Here is what we do to protect your account and your data.

Data in transit

All connections to Visidaily are encrypted with TLS 1.2 or higher. We enforce HTTPS on every endpoint and redirect all HTTP traffic. Our TLS certificates are managed and auto-renewed.

Data at rest

Screenshots and check data are stored with encryption at rest. Database backups are encrypted. Access to production infrastructure is restricted to authorised personnel only.

Authentication

  • Passwords are hashed with bcrypt before storage. We never store or log plaintext passwords.
  • Sessions use signed, short-lived JWT tokens. Tokens are invalidated on logout and password change.
  • Team invites use single-use signed tokens that expire after 48 hours.

Access control

Every API endpoint enforces authentication. Data is scoped per user — you can only access sites, pages, and checks that belong to your account or accounts you have been explicitly invited to.

We apply the principle of least privilege to internal system access. Infrastructure credentials are rotated regularly.

Screenshot isolation

Each screenshot job runs in an isolated Chromium process. Browser instances do not share cookies, storage, or network state between jobs or between users.

Screenshots are stored with non-guessable keys and are only accessible via authenticated API calls. Direct access to storage URLs requires authentication.

Dependency management

We monitor dependencies for known vulnerabilities using automated tooling. Critical security updates are applied promptly. Our screenshot engine is kept current with upstream Chromium releases.

Data retention and deletion

Screenshots are automatically deleted after 14 days. When you delete a site, page or individual check, the associated screenshot files are deleted from storage immediately — not just the database record.

On account deletion, all associated data is removed within 30 days.

Incident response

In the event of a data breach that affects your personal data, we will notify affected users within 72 hours of becoming aware of the incident, as required by applicable data protection law.

What we do not do

  • We do not store credit card numbers or full payment details
  • We do not use tracking pixels or third-party analytics on the dashboard
  • We do not share your screenshot data with third parties
  • We do not retain logs containing personal data beyond what is necessary for operations

Reporting a vulnerability

If you discover a security vulnerability, please email security@visidaily.com before disclosing publicly. We commit to acknowledging your report within 48 hours and resolving confirmed vulnerabilities within 30 days. We do not pursue legal action against good-faith security researchers.

Questions

Security questions: security@visidaily.com

See also: Privacy Policy