Resources

Security

How we protect your data

Security is table stakes for a tool that can publish on your behalf to every social platform you use. This page describes how OpenPost protects your data at every layer — infrastructure, authentication, secrets, and third-party connections.

Infrastructure

Primary region

AWS us-east-1 (Virginia)

Database

Postgres 15 (Supabase), encrypted at rest

Object storage

S3 with SSE-KMS per-workspace keys

Backups

Point-in-time recovery, 7-day window

Uptime SLO

99.9% publish availability (measured monthly)

DDoS protection

Cloudflare + AWS Shield Standard

Transport & at-rest encryption

  • All traffic is TLS 1.2+. HSTS enforced on all domains.
  • Database and object storage encrypted at rest with AES-256. Each workspace has a dedicated KMS envelope key for media bucket objects.
  • Backups are encrypted with a separate KMS key and stored in a hardened account.

Authentication

  • User login via email + password (Argon2 hashed), Google OAuth, or GitHub OAuth.
  • TOTP-based 2FA available on every plan; enforced 2FA on Pro and Max.
  • Sessions time out after 30 days idle; rotating refresh tokens on every request.

API keys & secrets

  • API keys shown once at creation; only hashes stored.
  • Keys are workspace-scoped; no cross-workspace or cross-user access.
  • Per-key scopes restrict what endpoints a key can call.
  • Rotation is self-serve; old keys auto-revoke 24h after rotation.

Social platform tokens

The OAuth tokens we hold to publish on your behalf are the most sensitive data in the system. They’re stored encrypted with per-workspace KMS keys, accessible only to the publisher service, and never returned through the API.

  • Tokens are rotated on the platform’s schedule (e.g. Facebook every 60 days).
  • If a platform’s security team flags unusual activity, we surface their warning immediately to the workspace owner.
  • Disconnecting a channel revokes the token upstream where the platform’s API permits.
OpenPost employees cannot read your stored social tokens. Access is gated behind a break-glass workflow that requires a signed audit record and pair approval from another engineer.

Access control

  • Production database access requires SSO + hardware key, and all queries are logged to an append-only audit log.
  • No shared credentials; every person has individual accounts.
  • Separate staging environment with synthetic data — never production dumps.

Webhooks

  • All outbound webhook payloads signed with per-endpoint HMAC-SHA256 secrets.
  • Timestamp in signature prevents replay attacks.
  • Secrets rotatable; 24h grace on rotation.

Incident response

We maintain an on-call rotation 24/7. Security incidents are disclosed to affected workspaces within 72 hours of confirmation, in line with common breach-notification standards. For major platform outages, the status page updates in real time.

Responsible disclosure

If you’ve found a vulnerability, please email contact@infina.so. We acknowledge within 24 hours, triage within 72 hours, and ship a fix at a severity-appropriate pace. Researcher credit on the security page is available if you want it; safe-harbor terms on request.

PreviousChangelogNext Compliance
Last updated April 2026 Edit this page