PostSyncly
Start free
Back homeTrust

Security overview

Last updated May 5, 2026

PostSyncly is built so a security review goes quickly. This page describes the controls we have today— not a roadmap. Where we’re working toward a formal attestation, we say so explicitly.

What we have today

  • GDPR / UK GDPR / CCPA alignment — DPA available; SCCs and UK IDTA supported. See the Data Processing Addendum.
  • Encryption at rest — AES-256-GCM envelope encryption on every stored OAuth token, with the data-encryption key kept exclusively in TOKEN_ENCRYPTION_KEY environment storage.
  • Encryption in transit — TLS 1.2+ on every public endpoint, with HSTS preload and modern cipher suites only.
  • Tenant isolation — Postgres Row-Level Security policies on every workspace-scoped table. The session sets app.current_workspace_id per request; queries that escape that scope simply return zero rows.
  • Audit log — every mutating action (post create, approval decision, settings change, plan change, member add/remove, OAuth token grant, portal-link access) is recorded with actor, target, IP and user-agent. Available to workspace owners; export to CSV.
  • Signed webhooks — Meta inbox webhook verifies X-Hub-Signature-256; billing webhooks verify provider HMAC; SAML assertions are signature-required.
  • OAuth scopes you authorize, nothing more — connection cards list every scope on screen before the redirect; tokens are revocable from Settings → Connections.
  • Idempotent boot — migrations and seed are designed so a redeploy never rewrites or drops customer data; database backups run daily on the managed Postgres provider with 30-day retention.

Identity & access

  • Better Auth with magic link, email OTP, passkey (WebAuthn), and OAuth (Google / Microsoft / Apple — opt-in by env).
  • SSO — OIDC live; SAML assertion verification via @node-saml/node-saml with wantAssertionsSigned: true enforced.
  • SCIM 2.0 tokens for directory provisioning on Enterprise.
  • Granular roles — Owner, Admin, Editor, Approver, Contributor, Client Viewer, Billing Manager.
  • IP allowlisting — per-workspace allowlist on Enterprise.

Application security

  • CSRF Origin checks on every authenticated mutation route.
  • Plan-gating enforced server-side, not client-side, on every premium feature.
  • Server-side request forgery guards on URL-fetching endpoints (brand-kit ingestion blocks private IPs and reserved hosts).
  • Dependabot enabled with weekly review; critical CVEs reviewed within 24 hours.
  • Secrets scanning on commit; no credentials in the repo.
  • Strict cookies — HttpOnly, SameSite=Lax, Secure in production.

Tenant data residency

Today, all production data lives on a single managed Postgres instance and a single Cloudflare R2 bucket. We’re a young company; multi-region provisioning is a paid add-on we expect to offer to Enterprise customers in a future phase, not something we ship today. If your compliance program requires EU data residency, talk to us before signing — we’ll be honest about whether we can meet your timeline.

AI & customer content

AI features run in your tenant, on data you authorize, only when you ask. Customer content is never used to train third-party foundation models. Our AI providers (currently Anthropic Claude for text, OpenAI for embeddings, and Replicate for image generation) operate under their published zero-training terms for API customers.

Sub-processors

The full list of sub-processors and the data each one handles is published at /legal/subprocessors. We notify workspace owners by email at least 30 days before adding a new one.

Incident response

We monitor production via Sentry, log aggregation, and uptime checks. If we confirm an incident affecting customer data, we will notify affected workspace owners by email within 72 hours of confirmation, and publish a written post-mortem within 14 days. Coordinated vulnerability disclosure: email security@postsyncly.com. We do not pursue researchers acting in good faith.

What’s on the roadmap (not yet shipped)

We don’t want to claim controls we don’t have. The following are on our 2026 roadmap, not in place today:

  • Formal SOC 2 Type II attestation
  • ISO/IEC 27001 certification
  • Third-party penetration testing on an annual schedule
  • Public status page with SLA reporting
  • Multi-region production for EU data residency
  • Bug-bounty program

If a current or future customer needs any of these in writing before signing, we’re happy to commit a delivery date in your Master Subscription Agreement.

Reporting a vulnerability

Email security@postsyncly.com with details and proof-of-concept where possible. We acknowledge within 24 hours, triage within 5 business days, and remediate critical issues within 30 days.