Security at
SocialsBoost

SocialsBoost is built to be safe by default. We encrypt your data in transit and at rest, isolate every customer's workspace, run continuous security testing, and respond to incidents in hours — not days.

• In transit. All traffic to SocialsBoost is forced over TLS 1.3 (with TLS 1.2 fallback for older clients). HSTS is preloaded and certificate pinning is used for our internal services.
• At rest. Customer data is encrypted with AES-256-GCM on the database and object storage layer. Database backups carry the same encryption.
• OAuth tokens. Social-account access tokens are encrypted with envelope encryption — a per-record data key wrapped by a customer-master key in AWS KMS, with automatic rotation.
• Secrets. Application secrets live in a hardware-backed KMS, never in source control or environment files committed to git.

For your account:

• Passwords are hashed with bcrypt (cost factor 12) — never stored in plaintext.
• Google Sign-In is supported and recommended.
• Two-factor authentication via TOTP (Premium plan) — coming to all plans soon.
• Workspace permissions follow role-based access control: Owner / Admin / Editor / Viewer.
• Sessions are short-lived (JWT, 15-minute access tokens) with refresh-token rotation.

For our team:

• Production access is gated behind SSO + hardware-key 2FA.
• Access is provisioned via short-lived, just-in-time tokens — no long-lived production credentials on engineer laptops.
• All production actions are logged and reviewed.

SocialsBoost runs on hardened AWS infrastructure (US-East primary, EU-West fail-over). Every customer's data is logically isolated by tenant ID — there's no shared application state between workspaces.

Our build and deploy pipeline (GitHub Actions → Vercel + AWS ECS) uses signed images, audited dependencies, and a multi-stage review gate. Production deployments require a peer approval and a green CI run.

We protect against the OWASP Top 10 throughout our stack — parameterised queries, strict CSP, CSRF tokens, encoded output, and per-route rate limits. Every dependency is monitored by automated SCA (Dependabot + Snyk) and patched within 7 days of a critical advisory.

We engage an independent third-party security firm for a full penetration test once a year, with findings remediated under SLA. Continuous DAST runs against staging on every deploy.

• SOC 2 Type II — audited annually by an AICPA-accredited firm. Latest report available to enterprise customers under NDA.
• GDPR & UK GDPR — see our GDPR page for the full breakdown.
• CCPA / CPRA — California consumer requests handled at privacy@socialsboost.com.
• ISO 27001 — certification in progress (target: Q4 2026).

We run a 24/7 on-call rotation. Security incidents are triaged within 30 minutes, with a defined runbook for containment, eradication, and customer communication.

Material breaches affecting your data will be communicated to your account's primary email within 72 hours of confirmation, including what happened, what data was involved, what we've done, and what you should do next.

If you find a security issue, please report it confidentially to security@socialsboost.com with reproduction steps. We'll acknowledge within one business day and keep you updated through remediation. We don't have a formal bug-bounty program yet, but we recognise responsible disclosure publicly (with your permission) and send swag.

• Continuous WAL backups of the primary database, with point-in-time recovery (PITR) for the last 35 days.
• Daily encrypted snapshots replicated cross-region.
• Recovery point objective (RPO) ≤ 5 minutes. Recovery time objective (RTO) ≤ 1 hour for the application tier.
• Restoration drills are run quarterly.

A current list of sub-processors (cloud, payments, email, AI providers) and the data they handle on our behalf is maintained on the GDPR page. Each is bound by a data-processing agreement and reviewed annually.

• Security reports: security@socialsboost.com
• Compliance / audit requests: compliance@socialsboost.com
• PGP key: available on request