Start typing — brands, models, or categories
Legal

Security

Effective July 1, 2026 · Privacy Policy →
Our approach:We're audiophiles. We came to this platform from the other side — as buyers and sellers who'd been burned by sterile listings, anonymous handles, and “trust us” marketplaces that didn't earn it. HiFi Registry was built to be the platform we wished existed, which means security and trust aren't features we bolt on. They're the foundation.

We don't believe security and user experience are opposed. Most platforms ask you to choose: lock things down tight and fight friction every time you sign in, or stay smooth and quietly hope nothing breaks. We refuse both. Security has to be invisible enough that you forget it's there — and absolute enough that you don't have to think about it. That's the bar. Nothing ships unless it clears it.

How we keep your account safe

Authentication is handled by Amazon Cognito. Your password is hashed and salted to industry standards — we never see it, never store it in plain text, and couldn't recover it for you if we tried. We can help you reset it; we cannot show it to you.

We use OAuth-grade session management with short-lived ID tokens and silent background refresh. You stay signed in as long as you're active, without ever re-entering your password mid-session, and your token is rotated automatically behind the scenes. Multi-factor authentication is on the roadmap; the day we turn it on, your existing account will support it with no migration required.

How we protect your money

We deliberately do not touch your card or bank information.

All marketplace fees flow through PayPal, one of the most heavily audited payment processors on the internet. When you pay your $25 listing fee, the transaction happens on PayPal's infrastructure — we never see your card number, your CVV, or your bank credentials.

We use Stripefor one thing and one thing only: optional identity verification (more below). We do not process payments through Stripe. We do not store card data of any kind on our servers, because we don't have any.

Buyer-seller transactions for actual gear happen directly between you and the other party, via PayPal Goods & Services (with buyer protection) or whatever method you mutually agree on. Native escrow for high-value deals is on the way — a layer designed specifically for the $5K+ transactions that deserve an extra safety net.

How we verify identity

Sellers can opt into Stripe Identity verification — strongly suggested for listings over $10,000. Stripe Identity uses government-issued ID plus a liveness check. We never see the document itself, only the verified result and a verification timestamp on the seller's profile.

Beyond formal verification, every seller has a public accountability profile: total sales, total disputes, response times, and external reputation imported from eBay (API-verified) or Audiogon and US Audio Mart (admin-verified). The community sees the same information we do. If a seller has a history, it's visible. If a seller has built trust, that's visible too.

How we keep listings honest

Listings on HiFi Registry are not free-form. Every listing requires:

  • A minimum of eight high-resolution photos, AI-verified for authenticity — we check for stock images, photo manipulation, and reuse from other marketplaces
  • Structured fields for condition, accessories, and known issues, not a paragraph of marketing copy where defects hide between adjectives
  • Total-owners count with an “Original Owner” badge for first owners — provenance matters
  • Verified-Owner Reviews that can only be submitted by users who actually purchased the gear through the platform

When something goes wrong — and over a long enough time horizon, something always does — the dispute lands on the seller's accountability profile and stays there. We don't hide disputes. We don't let sellers pay to remove them. The reputation system is the reputation system, and that's how it earns its weight.

How we protect your data

Every byte of data we hold about you is encrypted at rest (Aurora PostgreSQL with KMS-managed keys) and in transit (TLS 1.2+ on every endpoint). Backups are encrypted. Logs are encrypted.

We do not sell your data. Not to advertisers, not to data brokers, not to a partner network. HiFi Registry's revenue model is listing fees — that's it. We have no incentive to monetize your activity and we've built the business so we never will.

We don't run ads, and we won't. There's no advertising network embedded in our pages, no shadow profile being built up in the background. If you delete your account, we remove the personal data we hold about you within 30 days, retaining only what we're legally required to keep for tax and dispute records.

The full details are in our Privacy Policy.

How we keep the forum healthy

Every forum post has a one-click Report button. Reporting a post sends a structured email to our moderation team — post content, thread context, and your account info — and sends you a receipt so you know it landed. A human reviews every report. No automated suspensions.

We don't tolerate harassment, hate speech, scam attempts, or off-platform deal coordination designed to circumvent buyer protection. If you see it, flag it.

If you're ever the subject of a report, you'll hear from us directly with the specific concern and an opportunity to respond before any action is taken.

How we handle email

Every email we send comes from an @hifiregistry.com address — typically moderator@, admin@, or noreply@. Our domain is DKIM-signed and SPF-verified, which means real HiFi Registry email can be cryptographically distinguished from spoofs by every mainstream mail client.

We will never:

  • Email you asking for your password
  • Email you asking for your card number or PayPal credentials
  • Ask you to move a conversation off-platform “for a better deal”

If you receive an email claiming to be from us that asks for any of these, it isn't us. Forward it to security@hifiregistry.comand we'll investigate immediately.

Infrastructure security

HiFi Registry runs entirely on Amazon Web Services in the us-east-1 region, behind AWS WAF, Shield, and GuardDuty. Application code runs on ECS Fargate with least-privilege IAM roles. Database access is restricted to private subnets — the database is never reachable from the public internet. Secrets are managed via AWS Secrets Manager and never checked into source code.

We monitor CloudWatch logs in real time. Suspicious activity — failed sign-in clusters, anomalous fee-payment patterns, scraping attempts — is flagged and reviewed.

Reporting a vulnerability

If you find a security issue, send the details to security@hifiregistry.com.

Include:

  • A description of the issue
  • Steps to reproduce
  • The potential impact as you see it
  • Proof-of-concept code if you have it

We acknowledge every report within 48 hours and provide a substantive update within 7 days. We don't currently run a paid bug bounty, but we credit researchers (with your permission) on our security acknowledgements page when you help us close meaningful gaps.

In return, we ask that you give us reasonable time to address issues before public disclosure, don't access data that isn't yours, and don't disrupt service for other users while testing.

What we don't do

  • We don't sell your personal data — not to anyone, not for any price
  • We don't store your card number, CVV, or bank account information
  • We don't allow listings without verified photos
  • We don't hide seller disputes
  • We don't run ads
  • We don't lock you into the platform — your data is yours, your account is yours, and you can leave whenever you want
  • We don't compromise on any item in this list