Voxcast targets OWASP ASVS L2. API keys are AES-256-GCM at rest with KMS-wrapped envelope keys. OAuth-only sign-in (Twitch, Google, Discord). CSP, HSTS, CORP/COEP, audit logging, and rate limits on every mutation endpoint. Find the full posture in our PLANNING.md, §8.