Security & Trust Center

1. Infrastructure Security

1.1 Cloud Infrastructure

• Hosted on managed cloud infrastructure
• Provider-level protections and traffic controls at the edge
• Layered application security controls and access restrictions
• Operational backups and recovery procedures for critical services
• Ongoing internal security review and dependency monitoring

1.2 Network Security

• Application traffic is served over HTTPS/TLS
• HSTS (HTTP Strict Transport Security) enforced on all connections
• Dependency and configuration review during development
• Web Application Firewall (WAF) protection against common attacks
• Rate limiting to prevent abuse and brute force attacks

2. Data Protection

2.1 Encryption

2.2 Data Handling

• Minimal data collection - we only store what's necessary for the service
• Regular data retention reviews and automatic purging of expired data
• Secure data deletion upon account termination (within 30 days)
• No selling or sharing of personal data with third parties for advertising
• Clear data processing documentation and transparency

3. Authentication & Access Control

3.1 User Authentication

• Secure password requirements (12+ characters with complexity requirements)
• Passwords hashed using bcrypt with high cost factor (12 rounds)
• OAuth 2.0 integration for Google and Facebook login options
• Account lockout after multiple failed login attempts
• Secure session management with short-lived access tokens (15 minutes)
• HTTP-only cookies to prevent XSS token theft

3.2 Social Media Connections

• OAuth 2.0 protocol for all social media platform integrations
• We never store your social media passwords - only access tokens
• Minimal permission scopes - we only request permissions we need
• Easy token revocation through account settings at any time
• Tokens are encrypted before storage

4. Application Security

4.1 Secure Development

• Security-focused code reviews for all changes
• Automated security scanning in our CI/CD pipeline
• Regular dependency updates and vulnerability patching
• OWASP Top 10 protection measures implemented
• Input validation and output encoding throughout the application

4.2 API Security

• Rate limiting on all API endpoints to prevent abuse
• Input validation and sanitization on all requests
• CSRF (Cross-Site Request Forgery) protection on all forms
• Webhook signature verification for incoming callbacks
• API keys and secrets managed securely

5. Compliance

5.1 Data Privacy Regulations

• GDPR: Privacy controls designed to support EU General Data Protection Regulation obligations
• CCPA: Privacy controls designed to support California Consumer Privacy Act obligations
• Data processing terms available for business customers on request
• Right to access, correct, and delete personal data honored
• Data portability supported

5.2 Platform Compliance

• OAuth-based Meta (Facebook/Instagram) integrations using requested platform permissions
• Compliance with all social media platform API terms and conditions
• Periodic compliance reviews and platform policy updates
• Adherence to platform rate limits and best practices

6. Incident Response

In the unlikely event of a security incident:

• Incident response process initiated when a security issue is confirmed
• Affected users notified within 72 hours as required by GDPR
• Thorough post-incident review and remediation
• Transparent communication about incidents and resolutions
• Root cause analysis to prevent future occurrences

7. Your Security Responsibilities

Security is a shared responsibility. We recommend:

• Use a strong, unique password for your Postiv.io account
• Enable two-factor authentication on all connected social media accounts
• Review connected apps regularly and revoke unused access
• Report suspicious activity immediately to [email protected]
• Keep your devices and browsers updated with security patches
• Be cautious of phishing attempts - we'll never ask for your password via email

8. Security Updates

We continuously improve our security measures. Recent enhancements include:

• Enhanced account lockout protection after failed login attempts
• Improved webhook signature verification for Meta platforms
• Additional encryption for stored OAuth tokens
• Enhanced rate limiting across all API endpoints

9. Contact Security Team

To report a security vulnerability or concern:

• Email: [email protected]

We appreciate responsible disclosure and will acknowledge receipt within 24 hours. We do not currently offer a bug bounty program, but we recognize researchers who help us improve our security.