Security

We use strong encryption to protect your data both at rest and in transit.

• AES-256-GCM encryption for all OAuth tokens and sensitive credentials -- your access tokens are never stored in plaintext
• TLS 1.3 for all data in transit between your browser and our servers
• Encrypted database backups to ensure your data remains protected even in disaster recovery scenarios

Our infrastructure is built on industry-leading cloud providers with robust security certifications.

• Vercel for frontend hosting with automatic SSL, DDoS protection, and global edge network
• DigitalOcean for media processing services with isolated compute environments
• Supabase for database with row-level security (RLS) policies ensuring users can only access their own data
• Cloudflare for CDN, DDoS protection, and WAF (Web Application Firewall)

We implement secure authentication protocols to protect your account and connected social media platforms.

• OAuth 2.0 with PKCE for all platform connections -- the most secure OAuth flow that prevents authorization code interception
• Secure session management with HTTP-only cookies, strict SameSite policies, and automatic session expiration
• Optional two-factor authentication for an additional layer of account security

We enforce strict access controls to minimize exposure of sensitive data.

• Role-based access control (RBAC) with distinct workspace roles: owner, admin, editor, and viewer
• Principle of least privilege -- team members only have access to the features and data required for their role
• Audit logging for administrative actions and sensitive operations

Our development and operations processes are designed with security in mind.

• Regular dependency updates and automated vulnerability scanning across all packages
• Mandatory code review process for all changes before deployment
• Automated security testing integrated into our CI/CD pipeline
• Environment isolation between development, staging, and production

We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you discover a security issue, we ask that you:

• Report the vulnerability privately via email before public disclosure
• Provide sufficient detail for us to reproduce and address the issue
• Allow reasonable time for us to address the vulnerability before any public disclosure

Please report security vulnerabilities to: [email protected]

We are committed to meeting and exceeding industry compliance standards.

• GDPR-ready -- data processing agreements, right to erasure, data portability, and consent management
• CCPA-compliant -- California Consumer Privacy Act protections including the right to know, delete, and opt-out
• ...
  SOC 2 planned -- working toward SOC 2 Type II certification to provide third-party assurance of our security controls