Legal
Security
Security is built into LittlePoster.ai from the database layer up. This page summarizes the controls we have in place to protect your workspace, content, and connected social accounts.
Data protection
- OAuth tokens for connected networks are encrypted at rest with AES-256-GCM envelope encryption. The master key is held in our secret manager, separate from the database.
- All data in transit is encrypted with TLS 1.2 or higher.
- Production databases are hosted on Neon with daily encrypted backups.
- Media uploads are scanned for type and size limits before being stored in Cloudflare R2 with private ACLs and signed URLs.
Access control
- Workspace access is gated by Auth.js sessions and role-based permissions.
- Engineering access to production systems is limited to a small number of named individuals, requires hardware-key-backed 2FA, and is logged.
- We follow the principle of least privilege: service accounts have the narrowest scope required for their job.
Application security
- All inbound writes pass through type-checked server actions and Zod-validated API handlers; untrusted input is never trusted as a type.
- Webhook payloads from social networks are signature-verified before they hit the processing queue.
- Dependencies are tracked with Renovate and audited weekly. Security patches are deployed within agreed SLAs based on severity.
- CSP, HSTS, and modern cookie attributes are enabled across the web app.
Infrastructure
- The web app and worker run on Fly.io in EU regions. Region pinning is available on enterprise plans.
- Postgres is provisioned per-environment; no shared tenancy of data.
- Publishing is queued through pg-boss with locked claim semantics so a post is never published twice.
Monitoring
- Application errors are captured in Sentry and triaged by an on-call engineer.
- Failed publishes, expired credentials, and abnormal token-refresh patterns trigger alerts and customer-facing notifications.
- Audit logs record significant actions taken in a workspace.
Incident response
If we detect a security incident affecting customer data, we notify affected customers without undue delay and, for personal data breaches, within 72 hours where required by GDPR. Our standard incident workflow includes scoping, containment, eradication, recovery, and a written post-mortem.
Responsible disclosure
If you believe you have found a security issue, please email security@littleposter.ai with the details and steps to reproduce. We will acknowledge within two business days and keep you informed through remediation. Please do not publicly disclose the issue until we have had a reasonable opportunity to address it.
Compliance
We operate under GDPR for EU/UK customers and offer a Data Processing Addendum for accounts that require one. SOC 2 Type II is on our roadmap; please contact security@littleposter.ai for the current status and a copy of available security documentation.