Security

Accounts are protected by authenticated sessions with JWT cookie auth. Every API request is scoped to a workspace and validated against your membership before any data is returned, so users can only ever reach the workspaces they belong to.

When you connect a platform (Reddit, Instagram, Facebook, LinkedIn, X), the OAuth access and refresh tokens we store are encrypted at rest. They are decrypted only in memory at the moment an action you have authorised is performed, and never exposed to the browser or to other tenants.

The database enforces workspace-scoped row-level security (RLS). Data access is membership-scoped at the database layer, so a query can never cross tenant boundaries even in the event of an application bug. The service-role backend is the primary access control and applies the same scoping.

All traffic is served over TLS. The application runs on Cloudflare’s edge, which adds DDoS protection and a hardened network perimeter in front of the service.

Application data is hosted in the EU (Supabase EU region). AI drafting uses Google’s Gemini API by default (processed in the US under Google’s API terms); EU/CH-hosted AI via our phi-cloud integration is available when configured — see our GDPR page for residency detail. Your data is not used to train third-party models.

The agent only ever acts within the autonomy you set. Human approval is on by default, and high-trust actions (such as growth comments) default to approve-first with guardrails that respect each platform’s automation policy. You can pause autonomy at any time.

You can disconnect any account and delete your data at any time via Data & Deletion. Disconnecting revokes our stored tokens for that platform.