Security Overview
How we protect your social media account credentials and data
Encryption at Rest
All OAuth access tokens and refresh tokens are encrypted before being stored in our database using industry-standard encryption algorithms.
- Uses AES-256-CBC encryption with unique initialization vectors (IV) for each token
- Encryption keys are stored separately from the database in secure environment variables
- Even with database access, tokens remain encrypted and unusable without the encryption key
- Each token is encrypted with a unique IV, ensuring identical tokens produce different encrypted values
Token Lifecycle Management
We implement automatic token refresh mechanisms to maintain secure connections without requiring manual re-authentication.
- Tokens are automatically refreshed before expiration
- Expired tokens trigger automatic refresh using stored refresh tokens
- Failed refresh attempts are logged and users are notified
- Users can revoke access at any time through platform settings
Database Security
Our database architecture ensures that sensitive credentials are never stored in plain text.
- Encrypted tokens are stored in dedicated OAuth provider tables
- Tokens are only decrypted in-memory when needed for API calls
- No token data is logged or exposed in error messages
- Database access is restricted to application servers only
Security Best Practices
Environment Security
- Encryption keys stored in secure environment variables, never in code
- Environment variables are not accessible through application logs
- Separate encryption keys for different environments (development, production)
- Regular key rotation policies
Access Control
- Tokens are only decrypted in-memory when needed for API calls
- No token data is included in error messages or logs
- Database queries are parameterized to prevent injection attacks
- API endpoints require authentication before accessing tokens
Compliance & Privacy
- Users can disconnect platforms at any time
- All tokens are deleted when a platform connection is removed
- No personal data is stored beyond what's necessary for API functionality
- Regular security audits and updates
Security Considerations
We continuously monitor and address security considerations across our platform:
- Regular security assessments and penetration testing
- Monitoring for potential security issues and vulnerabilities
- Prompt patching of identified security concerns
- Compliance with industry security standards
- Third-party security audits and reviews
Note: Specific security vulnerabilities are not disclosed publicly to protect user data and platform security. Security researchers can report issues through our responsible disclosure program.