Trust & Security

At Postbase, Inc., our most important commitment is to the trust and security of our customers. We understand that when you use Postbase to manage your social media presence, you're entrusting us with your brand's voice, your content, and access to your social media accounts. That's why we've built our security program on the principles of transparency, data ownership, and defense-in-depth. This page provides a detailed overview of the policies, technologies, and procedures we have in place to protect your information.

Core Tenets of Our Security Program

Our approach to security is guided by these fundamental commitments:

You Own Your Content: You retain full ownership of all posts, media, and content you create through Postbase. We are simply custodians of your data while providing our service.

Your Data Is Not Our Product: We will never sell, rent, or trade your data or content. Our business model is based on providing valuable social media management tools, not monetizing your information.

Your Content Does Not Train AI Models: Your scheduled posts, captions, images, and social media data are never used to train AI models for general-purpose or third-party use.

Minimal Access Principle: We only request the minimum permissions necessary from social media platforms to provide our core scheduling and analytics features. We never access more than what's required.

Transparent Security Practices: We believe in being open about our security measures so you can make informed decisions about trusting us with your social media management.

Data Governance & Privacy

We believe in privacy by design, ensuring your data is handled responsibly and exclusively for the purpose of providing the Postbase service.

‍Data Ownership & Control

You retain all intellectual property rights to the content you create in Postbase. This includes:

• Post text, captions, and descriptions
• Images, videos, and other media files
• Hashtags and content strategies
• Draft content and templates
• Social media analytics data

You can export and delete your data at any time from within your account settings.

Data Usage

Your data is used solely to provide and improve the Postbase service for you. This includes:

• Storing and scheduling your social media posts
• Transmitting your content to connected social media platforms for publishing
• Displaying analytics and performance metrics
• Personalizing your experience within your account
• Ensuring platform functionality and reliability

We do not access or use your content for any other purpose. We never share your content with other Postbase users, use it for marketing purposes, or include it in training datasets.

Data Retention

As detailed in our Privacy Policy:

• Active Accounts: We retain your data while your account is active and as long as needed to provide our services.
• Scheduled Content: Posts remain in your account until published or manually deleted by you.
• Published Content: Historical records of published posts and their performance metrics are retained for up to 24 months.
• After Termination: Data is retained for 90 days following account termination to allow for account recovery, then permanently deleted.
• Backups: Data in backups is automatically deleted according to our retention schedules (maximum 90 days after account termination).

Data Portability

You have the right to export all your User-Generated Content at any time through your account settings. Exports include:

• All scheduled and draft posts
• Uploaded media files
• Post templates
• Analytics data (where available)

Social Media Account Security

Because Postbase connects to your social media accounts, we take extraordinary measures to protect these sensitive connections.

Secure OAuth Implementation

We use industry-standard OAuth 2.0 authorization to connect your social media accounts. This means:

• You Never Share Passwords: You authorize Postbase through the official social media platform's secure login process. We never see or store your social media passwords.
• Scoped Permissions: We only request the minimum permissions required to schedule posts and retrieve analytics. We never request permission to delete content, access private messages (DMs), or perform other unnecessary actions.
• Revocable Access: You can disconnect any social media account from Postbase at any time, either through our settings or directly through the platform's security settings.

Access Token Protection

When you connect a social media account to Postbase:

• Encrypted Storage: All OAuth access tokens and refresh tokens are encrypted at rest using AES-256 encryption with unique encryption keys per customer.
• Encrypted Transmission: Tokens are only transmitted over secure TLS 1.2+ connections.
• Automatic Rotation: Tokens are automatically refreshed according to platform requirements, and old tokens are immediately discarded.
• Secure Deletion: When you disconnect an account, all associated tokens are immediately and permanently deleted from our systems.

Platform-Specific Security

For each social media platform we support, we follow their security best practices:

• Instagram/Facebook/Threads: We use Meta's official Business APIs and comply with their security requirements and data use policies.
• TikTok: We implement TikTok for Developers security standards and API guidelines.
• YouTube: We comply with Google API Services User Data Policy and OAuth 2.0 security requirements.
• X (Twitter): We follow X API security best practices and implement proper rate limiting.
• LinkedIn: We adhere to LinkedIn's API Terms of Use and security requirements.

What We Can and Cannot Do

What Postbase CAN do with your connected accounts:

• Schedule and publish posts on your behalf
• Retrieve performance metrics and analytics for your published content
• Display your profile information (name, profile picture, follower count)

What Postbase CANNOT do:

• Access, read, or send direct messages (DMs)
• Delete your posts or content
• Change your account settings or profile information
• Access content from accounts you haven't explicitly connected
• Post content you haven't scheduled or approved

Infrastructure & Network Security

Postbase is built on world-class infrastructure, leveraging the security and scale of Amazon Web Services (AWS) to protect our platform from the ground up.

Secure Cloud Environment

Our entire platform is hosted on AWS, which provides:

• Highly secure and controlled environment
• Compliance with numerous global security standards including SOC 2, ISO 27001, PCI DSS, and HIPAA
• Physical security of data centers
• Regular security audits and penetration testing
• 99.99% uptime SLA

Data Encryption

We employ strong encryption protocols to protect your data at all stages:

Encryption in Transit:

• All data transmitted between your device and our services is encrypted using industry-standard Transport Layer Security (TLS 1.3 or TLS 1.2).
• All connections to third-party social media platform APIs use TLS 1.2+ encryption.
• HTTPS is enforced across all Postbase web properties.
• Perfect Forward Secrecy (PFS) is enabled to protect past sessions against future compromises.

Encryption at Rest:

• All customer data, including databases, files, and backups, is encrypted at rest using the Advanced Encryption Standard (AES-256), one of the strongest block ciphers available.
• Media files (images, videos) uploaded to Postbase are encrypted using AES-256 before storage.
• Database encryption keys are managed through AWS Key Management Service (KMS) with automatic rotation.
• Backups are also encrypted using AES-256.

Network Isolation

• Virtual Private Clouds (VPCs): We utilize AWS VPCs to create logically isolated sections of the cloud.
• Environment Segregation: Our production environment is strictly segregated from development and testing environments.
• Firewall Rules: Security groups and network access control lists (ACLs) are configured to restrict traffic to only what is absolutely necessary.
• DDoS Protection: We leverage AWS Shield for protection against Distributed Denial of Service attacks.
• Web Application Firewall: AWS WAF is configured to protect against common web exploits and attacks.

Logging and Monitoring

We centrally aggregate logs and implement continuous monitoring to detect and respond to security threats:

• Real-time monitoring of infrastructure health and security events
• Automated alerting on anomalous activity and potential threats
• Security Information and Event Management (SIEM) for log analysis
• Regular review of access logs and authentication attempts
• Automated detection of security misconfigurations

Application & Product Security

Security is an integral part of our software development lifecycle, from initial design to deployment and maintenance.

‍Secure Software Development Lifecycle (SDLC)

Our engineering team follows secure coding best practices:

• Code Review: All code is subject to peer review before being merged into production.
• Automated Security Analysis: We use static application security testing (SAST) tools to automatically scan code for vulnerabilities.
• Dependency Management: All third-party libraries and dependencies are regularly updated and scanned for known vulnerabilities.
• Security Testing: We conduct regular security testing, including penetration testing and vulnerability assessments.

‍Vulnerability Management

We maintain a proactive approach to identifying and addressing security vulnerabilities:

• Automated Scanning: Regular automated vulnerability scanning of our applications, dependencies, and infrastructure.
• Patch Management: Critical security patches are prioritized and deployed rapidly.
• Dependency Updates: We monitor security advisories for all third-party dependencies and update promptly.
• Bug Bounty Program: We welcome responsible disclosure from security researchers (see Responsible Disclosure section below).

‍Access Controls

User Authentication:

• Strong password requirements (minimum 8 characters, complexity requirements)
• Support for password managers
• Two-factor authentication (2FA) available for all accounts
• Account lockout after multiple failed login attempts
• Secure password reset process with time-limited tokens

Session Management:

• Secure session token generation
• Automatic session expiration after inactivity
• Session invalidation upon logout
• Protection against session fixation and hijacking attacks

‍Input Validation & Output Encoding

• All user inputs are validated and sanitized to prevent injection attacks
• Protection against Cross-Site Scripting (XSS) attacks
• SQL injection prevention through parameterized queries
• Content Security Policy (CSP) headers implemented
• Protection against Cross-Site Request Forgery (CSRF) attacks

‍API Security

• All API endpoints require authentication
• Rate limiting to prevent abuse
• API keys are treated as sensitive credentials and encrypted
• Comprehensive API logging for audit purposes

‍Third-Party Platform Security

As a social media management platform, we integrate with multiple third-party services. We hold all partners to high security standards.

‍Vetted Platform Integrations

We only integrate with official, well-established social media platforms:

• Instagram, Facebook, Threads (Meta)
• TikTok
• YouTube (Google)
• X (Twitter)
• LinkedIn

Each platform integration:

• Uses official, documented APIs
• Follows platform security best practices
• Complies with platform data use policies
• Is regularly reviewed for security updates

‍API Security Best Practices

When connecting to social media platforms:

• We use secure OAuth 2.0 authentication flows
• We implement proper rate limiting and error handling
• We validate all data received from platform APIs
• We never store more data than necessary
• We comply with each platform's data retention policies

‍Third-Party Service Providers

We carefully vet all third-party service providers we use:

• Payment Processing: We use PCI DSS-compliant payment processors (e.g., Stripe) and never store full credit card information.
• Analytics: We use reputable analytics providers with strong privacy policies (e.g., Google Analytics, Mixpanel).
• Infrastructure: AWS provides SOC 2, ISO 27001, and other security certifications.

All third-party providers are subject to our vendor security review process and must meet our minimum security requirements.

‍Organizational Security

Security is a shared responsibility across our entire company.

‍Personnel Security

• Background Checks: All Postbase employees undergo background checks appropriate to their role and location.
• Security Training: All employees receive security awareness training during onboarding and ongoing training throughout their employment.
• Confidentiality Agreements: All employees sign confidentiality and data protection agreements.
• Clean Desk Policy: Physical and digital workspaces must be kept secure and free of sensitive information when not in use.

‍Access Management

Principle of Least Privilege:

• Employee access to sensitive data and production systems is strictly limited based on job function.
• Access is granted on a "need-to-know" basis.
• Role-Based Access Control (RBAC) is implemented across all systems.
• Regular access reviews and audits are conducted.

Production Access:

• Access to production systems requires multi-factor authentication.
• All production access is logged and monitored.
• Production access is regularly reviewed and revoked when no longer needed.
• Separation of duties between development and production environments.

‍Asset Management

• All company devices are encrypted and protected with strong passwords.
• Mobile device management (MDM) for company-owned devices.
• Remote wipe capabilities for lost or stolen devices.
• Regular software updates and security patches on all devices.

‍Incident Response & Availability

We have a comprehensive plan in place to respond to potential security incidents and ensure the reliability of our service.

‍Incident Response Plan

We maintain a formal incident response plan that outlines the procedures for:

1. Detection: Continuous monitoring and alerting systems to identify potential security incidents.
2. Containment: Immediate steps to prevent further damage or data exposure.
3. Eradication: Removing the threat and addressing the root cause.
4. Recovery: Restoring systems and data to normal operations.
5. Post-Incident Review: Analyzing the incident and implementing improvements.

‍Communication & Transparency

In the event of a security incident that impacts your data:

• We are committed to transparent and timely communication.
• We will notify affected customers within 72 hours of confirming the incident.
• We will provide regular updates throughout the incident response process.
• We will publish a post-mortem after resolution (with appropriate redactions for security).

‍High Availability

Our architecture is designed to be resilient and fault-tolerant:

• Redundancy: Multiple availability zones and redundant systems to minimize single points of failure.
• Automated Backups: Daily automated backups with point-in-time recovery capabilities.
• Disaster Recovery: Comprehensive disaster recovery plan with regular testing.
• Uptime Target: We aim for 99.9% uptime for our core services.
• Status Updates: Real-time service status available at status.trypostbase.com.

‍Business Continuity

We maintain business continuity plans to ensure service availability during:

• Infrastructure failures
• Natural disasters
• Cyber attacks
• Other unexpected disruptions

‍Compliance & Certifications

We are committed to meeting industry-standard security frameworks and compliance requirements.

‍Current Compliance

• GDPR Compliance: We comply with the European Union's General Data Protection Regulation for EU customers.
• CCPA Compliance: We comply with the California Consumer Privacy Act for California residents.
• Privacy Shield Successor: We follow applicable data transfer mechanisms for international data transfers.

‍Planned Certifications

As we grow, we are working toward:

• SOC 2 Type II certification
• ISO 27001 certification
• Additional regional privacy law compliance

‍Data Processing Agreements

We offer Data Processing Agreements (DPAs) for enterprise customers to formalize our data handling commitments and ensure compliance with applicable privacy laws.

‍Responsible Disclosure

We value the work of independent security researchers and believe in the importance of coordinated disclosure. If you believe you have discovered a security vulnerability in the Postbase platform, please help us by reporting it responsibly.

‍How to Report

Email us at: support@trypostbase.com

Please include in your report:

• A clear description of the vulnerability
• A severity rating (Critical, High, Medium, Low)
• Step-by-step instructions to reproduce the issue
• Proof of concept (PoC) or demonstration
• Your operating system and browser information
• Any relevant screenshots or logs

‍GPG Encryption

If your report includes sensitive information (such as access tokens, credentials, or user data), please request our GPG public key and encrypt your communication.

‍Our Commitment

When you report a vulnerability to us:

• We will acknowledge receipt of your report within 2 business days.
• We will provide an estimated timeline for addressing the issue.
• We will keep you informed of our progress.
• We will credit you for the discovery (unless you prefer to remain anonymous) once the issue is resolved.
• We will not take legal action against researchers who follow responsible disclosure practices.

‍Scope

In Scope:

• trypostbase.com and all subdomains
• Mobile applications (iOS and Android)
• API endpoints
• Authentication and authorization systems

Out of Scope:

• Social engineering attacks against Postbase employees
• Denial of Service (DoS) attacks
• Physical security testing
• Third-party platforms (Instagram, Facebook, etc.) - please report directly to those platforms

‍Common Non-Vulnerabilities

To help focus efforts, the following are generally not considered vulnerabilities:

• Missing security headers on non-sensitive pages (e.g., marketing pages)
• Self-XSS that requires significant social engineering
• Issues requiring physical access to a user's device
• Reports from automated tools without proof of exploitability
• Issues in third-party libraries without proof of exploitation in Postbase
• Content spoofing without demonstrated security impact

‍Bug Bounty Program

For valid, previously unknown vulnerabilities, we offer:

• Critical Severity: Recognition + reward (amount varies by impact)
• High Severity: Recognition + reward
• Medium Severity: Recognition + swag
• Low Severity: Recognition

We reserve the right to determine severity and rewards on a case-by-case basis.

‍Questions?

If you have any questions about our security practices, please contact us at support@trypostbase.com.

Your trust is the foundation of our service. We are committed to continuously improving our security posture to protect your brand, your content, and your social media presence.