Last updated June 28, 2026
Privacy & Security
A clear overview of how SwiftTool protects media workflows, account access, Telegram bot activity and private download infrastructure.
Privacy-first workflow design
SwiftTool is designed to process only the information needed to run requested media jobs, operate accounts, answer support requests, protect the system and maintain reliable service.
- Avoid collecting unnecessary personal details.
- Keep raw uploads and generated outputs private by default.
- Separate support records, admin logs and public website content.
Account and authentication security
The web app supports account-based access and may use email/password login or approved OAuth providers such as Google. Administrative access is protected separately from public user accounts.
- Passwords are stored as hashes, never as plain text.
- Admin sessions use CSRF protection, login rate limiting and audit trails.
- Admin two-step verification can send a one-time code through the configured Telegram bot.
Telegram bot safeguards
When a SwiftTool Telegram bot is enabled, it may receive commands, support messages, Telegram identifiers, chat identifiers, files, URLs and workflow status data needed to complete the requested action.
- Bot messages should be used only for service actions, support and security notices.
- Owner notifications can be sent to the configured Telegram administrator.
- Users should not send sensitive media or files they are not allowed to process.
Media and output protection
Submitted media, URLs, captions, translations, separated audio, converted files and generated downloads should be treated as private user content unless the user intentionally publishes them.
- Use signed or otherwise authorized links for private downloads.
- Clean temporary processing files on a defined schedule.
- Keep uploaded files outside editable public content unless intentionally approved.
Private cloud endpoint
cloud.swifttool.org is a private download and processing endpoint for SwiftTool server workflows. It is not intended to be a public file browser or a separate customer dashboard.
- Directory listing should remain disabled.
- Direct access to private storage and configuration files must be blocked.
- Download activity may be logged for security, debugging and abuse prevention.
Infrastructure posture
SwiftTool separates public pages from private processing, account, support and download infrastructure so visitors can only access the intended website and app surfaces.
- HTTPS is used across swifttool.org, app.swifttool.org and cloud.swifttool.org.
- Private storage, configuration, backups and runtime files are not exposed as public website content.
- The cloud endpoint is limited to controlled download and processing workflows rather than open file browsing.
Operational monitoring
SwiftTool may keep security and reliability logs such as IP address, user agent, timestamps, requested path, login status, support events, queue status and download endpoint activity.
- Use logs to troubleshoot failed jobs and protect the service.
- Limit log access to trusted administrators.
- Avoid using operational logs for unrelated marketing purposes.
Incident response
If suspicious activity is detected, administrators should rotate credentials, review logs, disable affected accounts and temporarily pause risky workflows.
- Rotate Telegram bot tokens, OAuth secrets and API keys if exposed.
- Preserve audit logs for investigation.
- Notify affected users when required by law or policy.
User control and data review
SwiftTool gives users and administrators clear ways to review workflow activity, contact support, manage cookie choices and request help with account, bot or download data.
- Support requests can include account, Telegram or job identifiers when needed to locate a workflow.
- Cookie and accessibility preferences can be changed from the site controls.
- Administrators can review feedback, bot delivery status, audit logs and content changes from the admin panel.
Secure deployment baseline
SwiftTool is configured around HTTPS, restricted public access, protected runtime folders, hashed credentials, CSRF tokens and Telegram-based administrator verification where enabled.
- Public visitors should never receive direct access to private storage, environment files, backups or server configuration.
- Download endpoints should use controlled access instead of open directory browsing.
- Admin credentials, OAuth secrets and Telegram bot tokens should be rotated if exposure is suspected.
Questions or corrections?
Send feedback if you have a privacy, security, account, Telegram bot or download workflow question.
Contact support