URL: /faq/security-and-privacy --- title: Security and privacy FAQ description: How we protect accounts, data, and your domains. --- ## What is WHOIS privacy and do I need it? WHOIS is a public directory of domain registration data — owner name, address, email. Privacy replaces those fields with a forwarding service so spammers can't harvest them. You probably want it on for personal `.com` / `.net` / `.org` domains. You can't have it on `.au` — registry policy mandates public WHOIS for all `.au` TLDs. ## Are my registration details public? For TLDs that allow privacy, with privacy on: only your name and a forwarding address show up. Full record stays with us and the registry. For TLDs without privacy (`.au` family, `.de`, `.fr`, others), full registrant data is public. EU GDPR led most registries to redact personal data in WHOIS responses by default for individuals; commercial registrants stay public. ## How do you store API keys? We store the prefix (`dg_live_2k8n4j7s9...`'s first 12 chars) and an Argon2id hash of the rest. The full key never lives on our servers after we hand it back to you in the create response. ## What if I leak a key? Revoke it at [`/dashboard/api-keys`](https://app.domaingenius.com.au/dashboard/api-keys). The deletion is immediate. We also scan public GitHub commits for `dg_live_` patterns. Matches are auto-revoked and you get an email. Don't rely on us catching everything — review your secrets hygiene. ## Do you support MFA? Yes — TOTP (any RFC 6238 authenticator app) and WebAuthn / passkeys. Add at [`/dashboard/security`](https://app.domaingenius.com.au/dashboard/security). For org owners we recommend WebAuthn — phishing-resistant, fast, no shared secret. ## Can someone steal my domain by guessing my password? A password alone won't move a domain. State-changing operations from a logged-in session require: - Recent re-auth (sensitive ops re-prompt for password or MFA). - A confirmation step for transfers and contact changes (email link). - An audit log entry visible to other org owners. A stolen API key with `domains:write` could push a domain to another org you also own, but couldn't transfer it to a different registrar without the EPP code, which is only revealed in a `domains:write` `GET /domain` response — i.e. someone with the key still has it. Rotate keys regularly. ## What's the registry-lock? A premium feature for high-value domains: the registry refuses to accept any change requests until you authenticate out-of-band (a phone call, a multi-party email confirmation). Locks transfers and DNS changes, not just transfers. We support registry-lock for select TLDs (`.com`, `.net`, `.org`, `.com.au`). Email [support@domaingenius.com.au](mailto:support@domaingenius.com.au) to enable on a domain — we set up the out-of-band protocol once, then any sensitive op needs the lock-bypass step. ## Where is data stored? Australia (primary) and Singapore (read replicas). DNS data lives on Cloudflare's global edge. We're not subject to US CLOUD Act demands. ## Are you SOC 2 / ISO 27001 certified? ISO 27001 audit in progress (target Q4 2026). SOC 2 Type II planned for early 2027. We can share our security questionnaire, vendor risk doc, and DPIA on request. ## How do you handle data deletion requests? Per Australian Privacy Principles and GDPR Article 17. Submit at [privacy@domaingenius.com.au](mailto:privacy@domaingenius.com.au) — we delete personal data within 30 days, retaining only what we're required to keep (transaction records under tax law, audit logs under registrar accreditation). ## Can I get a copy of my data? Yes — request via [privacy@domaingenius.com.au](mailto:privacy@domaingenius.com.au). Within 30 days you get a JSON export of every record we hold under your user_id, plus a CSV of audit log events. Free, once per year; nominal fee for additional pulls.