Security and Authentication
Quick Summary
ResponseIQ takes security seriously at every layer. Your account is protected by JWT-based authentication, passwords are hashed with bcrypt, all data is transmitted over HTTPS, and strict data isolation ensures that no account can ever access another account's data.
JWT Authentication
When you log in to ResponseIQ, the server verifies your credentials and issues a JSON Web Token (JWT). This token is included in every subsequent request to authenticate your identity and authorize access to your account's resources. JWTs are cryptographically signed, which means they cannot be tampered with or forged.
Tokens have a limited lifespan and expire after a set period. When a token expires, the application automatically obtains a new one using a secure refresh mechanism. This means you stay logged in during active sessions without compromising security.
Note
If you suspect unauthorized access to your account, change your password immediately. This invalidates all existing sessions and tokens, requiring anyone using your account to re-authenticate.
Password Security with bcrypt
Your password is never stored in plain text. When you create or change your password, it is hashed using bcrypt — an industry-standard algorithm specifically designed for password storage. Bcrypt applies a computationally expensive hashing process with a unique salt for each password, making it extremely resistant to brute-force attacks and rainbow table lookups.
Because the hashing is one-way, not even ResponseIQ's own systems can retrieve your original password. If you forget your password, the only option is to reset it through the secure password reset flow, which sends a time-limited link to your registered email address.
HTTPS Encryption in Transit
All communication between your browser and ResponseIQ's servers is encrypted using HTTPS (TLS 1.2+). This applies to every page load, API call, login attempt, and data transfer. HTTPS ensures that data cannot be intercepted, read, or modified by anyone between your device and our servers — including your ISP, network administrators, or attackers on public Wi-Fi networks.
- TLS certificates are maintained and renewed automatically to prevent expiration.
- HTTP Strict Transport Security (HSTS) headers ensure browsers always use HTTPS, even if an HTTP URL is entered.
- API endpoints reject non-HTTPS connections entirely.
- Sensitive headers and tokens are never transmitted in URL parameters.
Data Isolation Between Accounts
ResponseIQ uses strict data isolation to ensure that each account's data is completely separate from every other account. Database queries are scoped to the authenticated user's account ID at the application level, and additional database-level constraints prevent cross-account data access even in the event of a software bug.
- Every database record is associated with a specific account ID.
- All queries include the authenticated user's account ID as a mandatory filter.
- Team members within the same organization share access according to their role permissions, but cannot access data from other organizations.
- Data exports only include data belonging to the requesting account.
- Account deletion permanently removes all associated data from the database.
Important
While ResponseIQ maintains strong security practices, you should also protect your account by using a strong, unique password and enabling two-factor authentication if available. Account security is a shared responsibility between the platform and its users.
Related Articles
Still need help?
Can't find what you're looking for? Our support team is here to assist.
Contact Support