Security

SocialRouter is in public beta. We follow security best practices but have not yet completed formal certifications (SOC 2, ISO 27001). This page describes our current controls and our roadmap.

Current controls

Encryption

• All traffic is HTTPS-only with HSTS preload (2-year max-age)
• Database encryption at rest (AES-256, managed by Supabase / AWS RDS)
• API keys are stored as SHA-256 hashes; plaintext never persisted after creation

Access control

• Row Level Security (RLS) on every database table — users can only access their own rows
• Service-role credentials are gated behind authenticated server contexts and webhook signature verification
• OAuth-based authentication (GitHub, Google) — we never see your password
• API keys are revocable instantly from the dashboard

Application security

• Strict Content Security Policy (CSP) preventing XSS and unauthorized resource loading
• X-Frame-Options DENY (clickjacking prevention)
• Stripe webhook signature verification on every event
• Constant-time API key comparison (timing attack prevention)
• Per-account rate limiting on read/write/analytics endpoints

Data handling

• Request bodies and response bodies are never persisted
• Only metadata (endpoint, platform, status, latency) is logged
• Usage logs deleted after 30 days
• Credit card data never touches our servers (handled by Stripe)

Roadmap

• Q3 2026: SOC 2 Type 1 audit kickoff
• Q4 2026: Single Sign-On (SAML) for enterprise plans
• Q1 2027: SOC 2 Type 2 completion
• Q2 2027: ISO 27001 audit kickoff

Reporting vulnerabilities

We welcome responsible security disclosure. Email security@socialrouter.ai with details. We commit to:

• Acknowledging your report within 48 hours
• Providing an initial assessment within 5 business days
• Coordinating disclosure timing
• Crediting you publicly (if you wish) once the issue is resolved

We do not currently run a paid bounty program but offer recognition and SocialRouter credits for valid reports.

Contact

General security questions: security@socialrouter.ai