Back to home
This document may be changed or updated at any time as circumstances require.
Data Security
July 12, 2026 · Version 1.0 · Panda Mania Platform
How Panda Mania protects your data and your licenses. This page describes real technical measures implemented in the platform.
1. Accounts and Authentication
- Passwords are hashed with Argon2id, the current industry-recommended algorithm. Plaintext passwords are never stored or logged.
- Two-factor authentication (TOTP) is available for every account, with single-use recovery codes.
- Social sign-in (Google, Discord, GitHub) uses OAuth 2.0; the tokens we receive are stored encrypted at rest.
- Sensitive settings require re-confirming your password. You can review and close your active sessions at any time.
- Login attempts are rate-limited to slow down brute-force attacks.
2. Payments
- Card data is handled exclusively by certified payment processors (PCI-DSS). Card numbers never touch our servers.
- Payment webhooks are signature-verified and processed idempotently, so events cannot be forged or replayed.
3. Licenses and API
- License keys are generated with a cryptographically secure random generator.
- API keys are stored as SHA-256 hashes — shown in full only once, at creation. Their HMAC signing secrets are stored encrypted.
- SDK requests are authenticated with HMAC-SHA256 signatures and a 5-minute anti-replay window, plus per-key rate limits.
- Every license event (activation, validation, revocation) is recorded in an append-only audit history.
4. Product Files and Downloads
- Product files live outside the public web root — there is no direct URL to them.
- Downloads require an authenticated account with a valid entitlement and are served through signed links that expire in minutes, bound to your user.
- Every download is logged (who, what, when, from where).
- Files publish with SHA-256 checksums so you can verify integrity.
5. Infrastructure
- All traffic is served over HTTPS.
- The application validates all input server-side; CSRF protection is active on every form.
- Administrative and sensitive actions are recorded in audit logs.
- Database backups are performed regularly through the hosting provider.
6. Responsible Disclosure
Found a vulnerability? Please report it privately to support@panda15fps.com with steps to reproduce. Do not exploit it or access other users' data. We commit to acknowledging reports quickly and fixing confirmed issues as a priority. Good-faith researchers will not face legal action from us.
© 2026 Panda Studio | All rights reserved
Last updated: July 12, 2026 · Version 1.0
Last updated: July 12, 2026 · Version 1.0