SECURITY

How we keep things safe.

Encryption, infrastructure, and how to report a vulnerability.

Last updated June 30, 2026

Security at Xaron

Xaron is a privacy-focused gaming community platform, and security is not a feature we bolted on — it is a design constraint we build every system against. Our guiding principle is that we should not be able to access what we don't need: your private conversations and calls are end-to-end encrypted so that even we cannot read or hear them, the data we do hold is encrypted and minimized, and the platform itself is built on a memory-safe foundation.

Xaron LLC is a Delaware company. Our security contact is security@xaron.co.

End-to-end encryption

Direct messages — both 1:1 and group — and DM voice and video calls are end-to-end encrypted using MLS (Messaging Layer Security), a modern group-messaging encryption protocol. Encryption keys are derived on your own devices. They are never issued by, transmitted to, or visible to Xaron's servers, which means Xaron cannot read your direct messages or hear your DM calls — encrypted content passes through our infrastructure without ever being decryptable by us.

For direct messages, an optional Ghost Mode goes a step further: those conversations are not stored at all. The encryption is what keeps your messages private; Ghost Mode means there is no message history retained on our side to begin with.

Encryption at rest

Community channels work differently from direct messages by design, because community owners need to be able to moderate their spaces. Community channel messages are therefore not end-to-end encrypted — but they are never stored as plaintext either. Each channel's messages are encrypted at rest with a per-channel key, so the content is unreadable in storage while remaining moderatable by the community's owners.

Those per-channel keys are themselves protected with envelope encryption: each key is wrapped by a separate master key that is deliberately kept out of the database. As a result, a database dump on its own cannot decrypt community messages — an attacker would also need the master key, which does not live alongside the data.

Authentication & accounts

  • Sign-in is handled through Google OAuth. Optional Steam linking is link-only — Xaron never sees or stores a Steam password.
  • Two-factor authentication (TOTP) is supported, along with backup codes so you retain access if you lose your authenticator device.
  • Session tokens use the PASETO standard. Refresh tokens are stored only as Argon2 hashes, never in the clear — even a database compromise does not expose usable refresh tokens.
  • You can review and revoke your active sessions and devices at any time. Sign-ins from a new device or new location trigger an email alert, so unexpected access does not go unnoticed.
  • Session cookies are set with the HttpOnly and Secure flags, and cross-site request protections — SameSite cookie attributes plus an Origin allowlist on state-changing requests — guard against cross-site request forgery.

Transport security

All traffic between your client and Xaron's servers is protected with modern TLS. Real-time communication — messaging and voice/video signaling — runs over WebTransport (QUIC), which provides encrypted, low-latency transport for the live features that make the platform responsive.

Platform hardening

  • Xaron's codebase is written in Rust, a memory-safe language that eliminates entire classes of vulnerabilities — such as buffer overflows and use-after-free bugs — at the language level.
  • Rate limiting is applied to authentication, messaging, uploads, and other sensitive endpoints to resist brute-force attempts and abuse.
  • The application serves a strict Content Security Policy along with related response-hardening headers to reduce the impact of injection and content-based attacks.
  • Secrets are kept out of source control and are rotated; production secrets exist only within the deployment environment, never in the codebase.
  • Dependencies are audited for known vulnerabilities as part of our release process.

Data minimization

We hold less so there is less to expose. Security logs that capture IP addresses and user-agent strings are automatically erased after approximately 90 days. When you delete your account, your data is anonymized and purged after 30 days. Collecting and retaining only what we need is part of how we limit the consequences of any incident.

Payment security

Card payments are processed by Stripe. Xaron never stores full card numbers — card data is captured and handled entirely within Stripe's PCI-DSS-compliant environment, so sensitive payment details never touch our servers.

Responsible disclosure

We welcome reports from security researchers and treat them as a vital part of keeping Xaron safe. If you believe you have found a vulnerability, please email security@xaron.co. To help us reproduce and fix issues quickly, include clear reproduction steps, the affected component or endpoint, and an assessment of the potential impact.

Safe harbor. We will not pursue legal action against researchers for good-faith, non-disruptive research, provided you:

  • Respect user privacy — do not access, modify, delete, or exfiltrate data belonging to other users beyond the minimum necessary to demonstrate a vulnerability.
  • Give Xaron a reasonable opportunity to investigate and remediate before disclosing an issue publicly.
  • Avoid any testing that degrades, disrupts, or denies service to others.
  • Do not engage in social engineering of Xaron staff or users, and do not attempt physical attacks.

Activity that stays within these guidelines is considered authorized, and we will work with you in good faith. Xaron does not currently operate a paid bug-bounty program, but we are genuinely grateful to researchers who help us improve and — with your permission — are happy to publicly credit you for valid reports.

No system is perfect

We work hard to protect your account and your data, and we are continually improving our defenses — but no platform can promise absolute security. We encourage you to use a strong, unique account and to enable two-factor authentication, and we commit to responding promptly and transparently if a security issue affects you.