Security & trust posture.
Where we stand on certifications, encryption, sub-processors, and customer data — without the buzzwords. We update this page as our posture evolves.
Last reviewed: 2026-04-30
At a glance
The infrastructure behind AuditSocials. Each is a verifiable choice — independently auditable.
Hosted on Vercel
Edge-deployed Next.js application with TLS 1.3, automatic certificate renewal, and DDoS protection at the edge.
Database & Auth: Supabase (EU — Dublin)
Customer data hosted in Supabase EU region (eu-west-1, Dublin, Ireland). AES-256 encryption at rest. Auth via passwordless email magic links. EU-resident data for our European customers — material for DSA, GDPR, and Schrems II considerations.
Payments: Paddle (MoR)
Paddle is our Merchant of Record. Card data never touches our servers — Paddle handles PCI-DSS compliance and tax remittance.
Email: Resend
Transactional and digest emails delivered via Resend. Sending domain verified for auditsocials.com (DKIM + SPF).
Encryption & transport security
- TLS 1.3 for all traffic between your browser and our application (HSTS preload + 2-year max-age + includeSubDomains).
- AES-256 encryption at rest for customer data, managed by Supabase.
- HTTP security headers in production: Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy denying camera/microphone/geolocation by default.
- Strict-Transport-Security with preload — browser refuses HTTP downgrade.
These headers can be independently verified at securityheaders.com — we welcome the audit.
Authentication
- End users: passwordless magic-link via email (Supabase Auth). No passwords to leak.
- Admin / staff: Supabase RBAC + 2FA on Vercel and Supabase consoles.
- SSO / SAML: Not currently offered self-serve. Available as a feature on the Enterprise plan once a customer commits — we configure SSO during onboarding.
Sub-processors
A small, named list. We update this page when we add or remove any.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Vercel | Application hosting & edge runtime | Global edge, regional origins |
| Supabase | Database, authentication, file storage | EU (Dublin, eu-west-1) |
| Paddle | Payment processing (Merchant of Record) | Global, PCI-DSS compliant |
| Resend | Transactional email delivery | EU + US regions |
| Google Analytics | Aggregated usage analytics | Google global infrastructure |
| ProfitWell (Paddle) | Subscription metrics | Paddle infrastructure |
| OpenAI | AI-assisted features (summarisation, classification) | OpenAI API, US |
Data we collect & how we use it
- What we collect: email address, subscription preferences, IP-derived country (for analytics), interaction events (page views, tool usage).
- What we don't collect: advertising data from your ad accounts, your customers' personal data, or any data from your platform integrations. We are not connected to your Meta / TikTok / Google / etc. accounts.
- What we share: nothing with advertisers. Sub-processors above receive only the data necessary for their function.
- Retention: subscription data retained while your account is active. Email logs retained 90 days. Analytics events anonymised after 26 months.
Compliance posture
- GDPR: AuditSocials acts as a Data Processor for customer email and account data. Standard Data Processing Agreement available — email info@auditsocials.com (subject
DPA request). - CCPA: Right to know, right to delete, right to opt out — exercise via info@auditsocials.com (subject
Privacy request). - DSA: Not applicable to us as we are not a hosting platform; however, we monitor DSA enforcement as part of our product offering.
- EU-US Data Privacy Framework: Sub-processors used are DPF-certified or rely on Standard Contractual Clauses (SCCs) for transfers.
For formal certification frameworks:
- SOC 2 / ISO 27001 — on our 2026 roadmap. We work with procurement teams on certification timelines as part of Enterprise contracts.
- PCI DSS — handled by Paddle as our Merchant of Record. Card data does not touch our infrastructure.
- HIPAA — not applicable; we do not process protected health information.
- EU GDPR — we operate as a Data Processor with EU data residency and standard DPA terms available.
Procurement teams requiring specific certification artefacts or extended security questionnaires: contact us early. We respond to standard questionnaires (CAIQ, SIG-Lite) on request.
Reporting a vulnerability
Found a security issue? Email info@auditsocials.com with the subject line Security disclosure — we triage in priority order.
Acceptable testing: passive recon, content review, documented scope.
Not acceptable: any testing that affects production data, other customers, or causes service degradation.
We do not currently operate a paid bug bounty programme.
How to reach us
| Topic | |
|---|---|
| General inquiries | info@auditsocials.com |
| Security disclosure | info@auditsocials.com (subject: Security disclosure) |
| Privacy / GDPR / DPA | info@auditsocials.com (subject: Privacy request) |
| Enterprise & procurement | info@auditsocials.com (subject: Enterprise inquiry) |
All email routes to info@auditsocials.com. The subject-line convention helps our team route requests internally. Direct outgoing email is sent from main@auditsocials.com.
Talk to us about Enterprise.
DPA, SCCs, security questionnaires, SSO, dedicated environments — we cover these as part of the Enterprise onboarding. Bring your procurement team.
This page describes our current security and trust posture as of the last review date. Material changes are reflected here within 30 days.