6ix — Security

• Use a unique, strong password; consider a password manager.
• Enable 2FA. Treat one-time codes like passwords—never share them.
• Review active sessions and revoke anything unfamiliar.
• Beware of phishing: we never ask for your password via email or DM.

Reset your password, revoke sessions, and turn on 2FA. If you can’t access your account, contact security@6ixapp.com. Refund decisions follow Refunds & Cancellations.

Blue and white ticks verify identity/eligibility, not immunity to policy. Keep 2FA on, use trusted devices, and avoid sharing credentials across teams.

We support modern auth and optional 2FA. Risk-based checks may trigger extra verification (e.g., device, IP, or geolocation challenges) to reduce account takeover.

Sessions use secure cookies with appropriate flags. We rotate and invalidate tokens on sign-out and major changes (e.g., password reset). Idle timeouts may apply to sensitive flows.

We apply rate limiting and automated detection to mitigate credential stuffing, enumeration, and brute force attempts. Suspicious attempts can be blocked or stepped up with challenges.

Data is encrypted in transit (TLS) and at rest. Secrets are rotated and scoped by environment with access controls and auditing. Stored credentials use industry-standard hashing.

Card details are processed by PCI-compliant partners; 6ix never stores full card numbers. Billing and charge logic are governed by Billing & Subscriptions.

We maintain redundant backups and test restoration. Retention follows necessity and legal requirements. See Privacy — Retention.

We run in hardened cloud environments with segmented networks, managed perimeter protections, WAF, DDoS mitigation, and least-privilege service roles.

Build pipelines enforce checks (lint, types, tests). Artifacts are signed where supported. Secrets are managed centrally and not embedded in source control.

Admin actions require SSO + MFA and are logged. Production data access is limited to roles that need it and approved break-glass flows with audit trails.

We use code review, dependency scanning, static analysis, and container/image scanning. High-risk changes require additional review and monitoring gates.

We sanitize input and apply defense-in-depth to mitigate XSS, CSRF, injection, SSRF, and access-control issues. Content safety systems and abuse tooling protect the community.

We only collect what’s needed to run the service and pay creators. For KYC/KYB and AML specifics, see KYC / AML & Sanctions.

Centralized logs, metrics, and traces support anomaly detection and rapid response. Access to logs is controlled and audited.

We design for graceful degradation. Disaster-recovery runbooks and exercises validate our ability to restore critical services within target objectives.

Vendors undergo security and privacy review. Where possible, we isolate integrations and restrict scopes to the minimum required.

We maintain severity-based playbooks covering detection, triage, containment, eradication, and recovery. Each incident has an owner, comms channel, and timeline.

If a breach materially affects users, we notify affected users and (where required) regulators within applicable timelines. We share actionable guidance to help you stay safe.

We run RCAs and track corrective actions to completion (fixes, tests, additional monitoring). Learnings feed back into our controls and training.

Email security@6ixapp.com with steps to reproduce, impacted domains, and your contact. Do not access other people’s data, disrupt service, or exfiltrate data.

• Acknowledge your report quickly.
• Keep you updated as we validate and remediate.
• Credit responsible researchers where appropriate.

Social engineering, rate-limit bypass without impact, and issues in third-party platforms are typically out-of-scope. If unsure, ask us first.

We align to regional privacy laws and process data per our Privacy Policy. We perform DPIAs for higher-risk projects and apply privacy-by-design principles.

Payments are handled by regulated partners. Identity checks and AML controls are described in KYC / AML & Sanctions.

Platform safety relies on our community rules. See Acceptable Use and Safety.

Payments, renewals, and limits: /legal/billing

Eligibility and timelines: /legal/refunds

Evidence and outcomes: /legal/disputes

Verification and sanctions screening: /legal/kyc-aml

Valid process and emergencies: /legal/law-enforcement

No. Access to production data is tightly restricted and audited. Limited access may be granted to resolve specific incidents or comply with law. See Privacy — Sharing.

For eligible tiers, yes. Contact support@6ixapp.com.

Follow our status page (when published) and product changelogs. Critical notices are delivered in-product or via email.