Last updated: April 8, 2026
You2Off takes the security of your data seriously. This page describes the technical and organisational measures we use to protect your information.
Passwords are never stored in plain text. We use industry-standard hashing (bcrypt via PHP’s password_hash()) so that even with access to the database, your password cannot be recovered. You are encouraged to use a strong, unique password.
In production, the service is intended to be used over HTTPS. This encrypts data in transit between your browser and our servers, helping to prevent interception or tampering.
Session identifiers are stored in cookies with HttpOnly (not accessible to JavaScript) and SameSite (to reduce cross-site risks). In production, the Secure flag is set so cookies are sent only over HTTPS. Session IDs are regenerated on login to limit fixation risks.
Access to data and features is restricted by role (employee, manager, administrator). Users can only see and act on data they are authorised to use. Administrative actions (e.g. changing roles, balances) are limited to administrators.
We use prepared statements for database queries to prevent SQL injection. User-supplied content is escaped when displayed to prevent cross-site scripting (XSS). State-changing actions require a valid CSRF token to reduce cross-site request forgery. File uploads (if enabled) are validated and stored outside the web-accessible area where appropriate.
Security depends on the environment where You2Off is deployed. We recommend that the application and database run on a trusted, maintained host with regular updates, restricted access, and backups. Environment variables (e.g. database credentials) should be kept secret and not committed to version control.
If you believe you have found a security vulnerability, please report it to your organisation’s administrator or the party responsible for operating your instance of You2Off. Do not disclose the issue publicly before it has been addressed.