--- slug: security-overview title: Security overview category: definition status: published tags: [security, encryption, access, infrastructure, soc, 安全, 加密, 访问控制] aliases: [] lastEditAt: 2026-04-26 --- Security at Tycoon is built around a few practical commitments: encrypt data, limit access, monitor for problems, and be honest about scope. **Data in transit and at rest** All data moving between the chairman's browser and Tycoon's servers is protected by industry-standard encryption in transit. Workspace content stored on Tycoon's infrastructure is encrypted at rest. **Authentication** Login uses a managed identity provider with secure password handling. Two-factor authentication via authenticator apps is supported — see the 2FA reference. Sessions expire after a period of inactivity. The chairman can review active sessions and sign out of any of them from **Settings → Account → Sessions**. **Access control** Workspace data is scoped to the workspace. The chairman and invited teammates are the only people with default access. Tycoon employees access workspace content only when needed for support or incident response, with audit logs in place. **Infrastructure** Tycoon runs on managed cloud infrastructure from a major provider with mature security practices. Backups are encrypted and tested. Production systems are isolated from development systems. **Monitoring** Tycoon monitors for unusual activity — repeated failed logins, sudden bursts of unfamiliar usage, suspicious billing events. The chairman is notified of significant events on the account (new device sign-ins, password changes, payment method updates). **Vulnerability handling** Security reports from researchers go to the address listed in **Settings → Account → Security**. Confirmed issues are triaged on priority. Tycoon does not run a public bounty program at this time but takes responsible disclosure seriously. **What chairmen should also do** - Use a unique, strong password (a password manager helps) - Turn on 2FA in **Settings → Account → Security** - Review active sessions periodically - Be cautious of phishing — Tycoon never asks for passwords by email For binding policy language, see [/privacy](/privacy).