Security

All client-to-server traffic uses TLS 1.3 with strong cipher suites enforced via HSTS (max-age 31536000). Server-to-platform traffic (Meta, X, etc.) likewise uses TLS. We do not accept TLS 1.0/1.1 connections.

OAuth access and refresh tokens for connected channels are encrypted with AES-256-GCM under a configuration key (Encryption:OAuthKey) before being written to the database. The database itself runs on encrypted storage volumes; backups are encrypted with separate keys. Passwords are never stored plaintext — we use Argon2id with high memory + iteration parameters tuned per OWASP guidance.

Email-and-password is the default. JWT access tokens have a 15-minute lifetime; refresh tokens are 64-byte random opaque tokens with a 30-day lifetime, hashed before storage and rotated on every refresh.

Refresh-token reuse detection: presenting an already-rotated refresh token revokes ALL of that user's sessions across every device. Reuse is a strong signal of token theft; the response is intentionally aggressive.

Brute-force gate: credential endpoints (login, register, verify-email, password-reset) sit behind a 5-attempts-per-IP-per-5-minutes rate limit. Failed logins are surfaced in the admin event timeline.

WebAuthn/TOTP 2FA, SAML/OIDC SSO for Studio + Agency plans — on the roadmap, not yet shipped.

Workspace tenant isolation is enforced at the database query-filter layer (EF Core HasQueryFilter), not just at the API layer. The query filter is applied to every read and is impossible to forget. Cross-tenant queries require explicit IgnoreQueryFilters() calls; those are limited to billing, webhook ingestion, and admin endpoints. Role-based access within a workspace (owner / admin / member / reviewer) gates write actions; owner role cannot be downgraded or removed except by transfer.

Two parallel log surfaces. The workspace audit log captures every administrative action a customer takes (channel connect, post publish, member invite, role change) and is visible to workspace members on Studio+ plans. The system event log captures cross-workspace events visible only to internal staff: failed logins, refresh-token reuse detected, webhook signature failures, unauthorised admin-panel attempts. System events are retained one year; security-classified events are retained indefinitely.

DDoS protection at the edge via Cloudflare. Application-level rate limits per IP (200 req/min global) and stricter per-endpoint limits on auth and media-upload paths. Webhook endpoints (Stripe, Meta, X) verify HMAC signatures with the relevant secret before any processing; failures emit a critical security event. CORS is allowlist-based, not wildcard. Standard security headers (HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy denying camera/mic/geolocation/interest-cohort) are applied to every response.

File uploads are gated by magic-byte sniffing — we never trust client Content-Type. Uploaded filenames are discarded; the server synthesises a name from the sniffed extension. Maximum 50 MB per upload, 30 uploads per user per 5 minutes. Server-side input validation runs on every endpoint; SQL is parametric (EF Core) — no string-built queries.

Each workspace is a logical tenant. Cross-tenant access is impossible through the public API: the EF query filter is the floor; the row-level constraints in the schema are the ceiling. Sub-processor data (Stripe, Resend) is keyed by your customer/subscription id; we never share workspace data across tenants for any operational reason.

Database snapshots taken at least daily, retained 30 days rolling, encrypted with separate keys from the production database. Point-in-time recovery available for the last 7 days. Recovery objectives: RPO ≤ 24 hours, RTO ≤ 4 hours for a regional outage. We test a backup restore quarterly.

Dependency scanning runs on every pull request and weekly against main; high-severity advisories are patched within 7 days, critical within 48 hours. Static analysis flags common vulnerability classes (SQL injection, XSS, path traversal) — surfaced in code review. Penetration tests are scheduled annually with an external firm; high-severity findings are remediated before release of the test report.

On-call rotation with paging response under 15 minutes. Confirmed personal-data breaches affecting account data trigger customer notification within 24 hours; supervisory authority notification (ICO for UK / relevant EEA DPA) within 72 hours per UK GDPR + EU GDPR Art. 33. We publish incident post-mortems for any user-visible outage above 30 minutes.

Every sub-processor is reviewed before engagement: SOC 2 / ISO 27001 attestation, GDPR DPA in place with SCCs where transfers leave the EEA, transfer impact assessment documented. The current sub-processor list lives in our Privacy policy and is updated when changes happen; existing customers receive 30 days notice via email of additions.

PostRoute is built to UK GDPR + EU GDPR requirements from day one. ICO registration in progress. SOC 2 Type I assessment scheduled in 2026; Type II report within 12 months of Type I close. ISO 27001 certification under evaluation. Audit reports available under NDA via your account manager (Agency plans) or via [email protected] for prospects under evaluation.

Email [email protected] with reproduction steps. We acknowledge within 2 business days, fix critical findings within 14 days, and credit reporters publicly (with permission) on our security page. We do not currently run a paid bounty programme; that may change post-Series A.