Security at Social Perks

• In transit: TLS 1.3 enforced for all client connections. HSTS preload, OCSP stapling, modern cipher suites only.
• At rest: AES-256-GCM for database storage, object storage (R2/S3), and automatic backups. Keys managed via cloud KMS with per-tenant envelope encryption for sensitive fields.
• Backups: Encrypted, replicated to a second region, point-in-time recovery for the past 7 days.
• Key rotation: Automatic 90-day rotation for KMS keys, immediate revocation on suspected compromise.

• Passwords: bcrypt with cost factor 12. We never see plaintext, never log it, never email it.
• Sessions: JWTs in httpOnly, Secure, SameSite=Lax cookies. Bearer tokens supported for API clients. CSRF tokens enforced on every write.
• 2FA / TOTP: Optional for all accounts, required for admin tier. Compatible with Authy, 1Password, Google Authenticator.
• API keys: Three scoped tiers (read, read-write, admin). Hashed at rest; shown once on creation, never again.
• Session management: List and revoke active sessions from your account settings. Failed-login throttling and audit logging are always on.

• Hosting: Render (application), Neon / Supabase (Postgres). Both SOC 2 Type II certified providers.
• Region: US East (Ohio) primary, with EU region available on enterprise plans for data-residency requirements.
• Network isolation: Application services live in a private VPC. Database access is IP-allowlisted with PgBouncer connection pooling.
• Monitoring: 100% request tracing, structured JSON logs, anomaly detection on auth flows, page-on-call for incidents.
• Patching: Dependencies scanned daily. Critical CVEs patched within 24 hours. Quarterly penetration testing by an external firm.

1. 1. Report. Email security@socialperks.app with a description, affected URLs, and reproduction steps.
2. 2. Acknowledgement. We respond within 2 business days with a tracking ID.
3. 3. Triage. We assign severity and target a fix window: 24h critical, 7d high, 30d medium, 90d low.
4. 4. Resolution. We notify you on patch and coordinate disclosure timing.
5. 5. Recognition. With your consent, we credit you in our security hall of fame and changelog.

We commit to safe-harbor for good-faith research that follows this policy. No legal action against researchers who report responsibly.

• We don't sell your data. Ever. Not to advertisers, brokers, or anyone else.
• We don't train on customer content. Your campaigns, submissions, and customer lists are not used to train AI models.
• We delete on request. Account deletion purges all customer-identifying data within 30 days. Anonymized aggregates may be retained for benchmarks.
• We tell you about subpoenas. Unless legally prohibited, we notify customers of government requests for their data before complying.

Read the full privacy policy for the legal version of these commitments.