Early access open
Request Private Beta Access

Security

Security and tracking disclosure

Portaviq is a private-beta product. This page explains the current security model, what the WordPress plugin sends, and the limits customers should understand before broad use.

Last updated: May 12, 2026Private beta

Authentication and access

Portaviq uses passwordless email sign-in and user-scoped access checks.

  • Email OTP codes are short-lived, single-use, and used for sign-in.
  • Sessions are stored server-side and attached to an HTTP-only browser cookie.
  • Organizations, sites, reports, and dashboards are scoped to authenticated users through organization membership.
  • Internal beta lead review pages are limited to configured admin emails.

Plugin verification

A WordPress site must prove it has the correct setup values before becoming active.

  • Each site receives a public ID and one-time verification token during setup.
  • The plugin posts the public ID, token, WordPress site URL, and version details to Portaviq for verification.
  • After successful verification, the raw token is cleared and the plugin receives a secret used for signed pageview events.

What the plugin sends

The plugin sends operational status and lightweight activity data.

  • Heartbeat/status data: site public ID, site URL, plugin version, WordPress version, PHP version, active theme if available, timestamp, and signature.
  • Pageview activity: page URL/path, page title, referrer, timestamp, and signature.
  • Basic technical request metadata may be stored with activity events, such as user agent.
  • The lightweight tracker does not set tracking cookies and does not run inside wp-admin.

Signed tracking payloads

Pageview events are signed so Portaviq can reject invalid or stale payloads.

The plugin signs pageview payloads with a site-specific secret returned after verification. Portaviq checks the site public ID, timestamp freshness, signature, site status, and URL ownership before accepting an event.

What Portaviq does not collect

The current lightweight tracker is intentionally limited.

  • No tracking cookies from the lightweight pageview tracker.
  • No WordPress admin pageview tracking.
  • No WordPress passwords, OTP codes, or payment card data.
  • No full plugin inventory from the WordPress site in the current beta.

Current beta limitations

These are honest limits customers should account for during beta testing.

  • Portaviq does not provide a public uptime SLA during private beta.
  • Security headers are present, but a full Content Security Policy is still future hardening work.
  • The rate limiter is designed for private-beta use and may need further hardening before broad production traffic.
  • The plugin ZIP is publicly downloadable and not yet distributed through a signed marketplace channel.
  • Production use should happen only over HTTPS.

Responsible disclosure

Report suspected security issues privately.

If you believe you found a Portaviq security issue, contact muhib.kamali@portaviq.com. Do not send OTP codes, private credentials, raw tracking secrets, or live customer data in the first message.

PrivacyAcceptable Use