Resources

Compliance

GDPR, DPA, and data processing

OpenPost operates as a data processoron behalf of the workspace owner (the controller). This page summarizes our compliance posture. For formal artifacts — DPA, SCCs, subprocessor list — see Settings → Legal or email contact@infina.so.

Frameworks

GDPR

Compliant — EU data stays in EU region on request

CCPA

Compliant — honors verified consumer requests

SOC 2 Type II

In progress (audit scheduled Q3 2026)

ISO 27001

Planned — 2027

HIPAA

Not covered — OpenPost isn't for PHI

Data Processing Addendum (DPA)

Every paid workspace can sign our DPA. The text is pre-signed by us — you countersign from your billing settings and the executed copy is emailed within minutes. The DPA incorporates the EU Standard Contractual Clauses and the UK International Data Transfer Addendum for cross-border transfers.

Subprocessors

We use a small set of vetted subprocessors. Each has a signed DPA with us. We’ll notify workspace owners 30 days before adding or materially changing a subprocessor.

  • Amazon Web Services — primary infrastructure (us-east-1)
  • Supabase — managed Postgres
  • Cloudflare — CDN and DDoS protection
  • Stripe — billing and payments
  • Resend — transactional email
  • Slack — optional notification integration (opt-in)
Subprocessors never see your social account tokens. OAuth tokens are encrypted with envelope keys that only our publisher service can decrypt inside AWS KMS.

Data subject requests

If a data subject (a team member, an end-user whose comments you’re processing, etc.) wants to exercise their GDPR/CCPA rights, the workspace owner initiates the request. We fulfill it within the legally required timeframe (30 days under GDPR, 45 days under CCPA).

  • Access — we provide a JSON export of all records keyed to a user.
  • Rectification — amend records in-place.
  • Erasure — delete records; 30-day tombstone before permanent removal.
  • Portability — export in machine-readable JSON.

Data residency

Default region is US (AWS us-east-1). Max workspaces can request EU residency — your primary database and media bucket are provisioned in Frankfurt (eu-central-1). Cross-region replication for backups uses SCCs.

Data retention

  • Active workspace data — retained for the life of the workspace.
  • Deleted records — 30-day tombstone, then permanent removal.
  • Canceled workspace — 60 days read-only archive, then permanent deletion.
  • Backups — 7 days; encrypted and logically separated.
  • Audit logs — 12 months on Pro, 24 months on Max.

Employee access

Access to production systems is granted on a least-privilege basis, logged to an append-only audit store, and reviewed quarterly. No customer data is ever used in development or staging environments.

Cookies & tracking

Our website and dashboard use only essential cookies (auth, CSRF). We run no third-party analytics scripts on the dashboard. Marketing pages use a privacy-respecting analytics provider (Plausible) with no personally identifiable data.

Questions

Procurement, privacy, or compliance questions go to contact@infina.so. We respond within one business day and can do a vendor security review for enterprise procurement teams.

PreviousSecurityNext Status
Last updated April 2026 Edit this page