Security Policy

Account protection

• Passwords are hashed and never stored in plain text.
• Sessions are managed by our authentication provider.
• We recommend strong, unique passwords.

Owner-only editing

Database row-level security ensures that profiles, listings, events, jobs and stolen-instrument reports can be edited only by their owner.

Admin moderation

Administrators may review, approve, hide or remove content that violates the Terms or applicable law. Moderation actions are logged.

Public visibility

Only content that has been approved and published is visible to the public. Pending, rejected, archived, suspicious and spam content is excluded from public views.

File upload restrictions

Uploads are restricted to common image formats (JPEG, PNG, WebP) with size limits, and are stored under per-user paths.

Anti-spam measures

• Status-lock triggers prevent users from self-approving or transferring ownership of content.
• Community reports allow users to flag suspicious content.
• Suspicious or spam listings are removed from public views.

API keys and secrets

Server-side secrets are stored as environment variables and never exposed to the browser. The service role key is used only on the server.

Analytics privacy

Visitor analytics are anonymous: we collect page paths, language and country but do not store IP addresses or personal identifiers.

Incident handling

If we become aware of a personal data breach, we will investigate, contain the incident, and notify affected users and the supervisory authority when required by law.

Responsible disclosure

If you discover a security vulnerability, please report it privately to news@musicservices.world. Please do not publicly disclose the issue before we have had a reasonable time to respond.