Security at OpenPost

We handle credentials for your social media accounts, so security is not optional — it is foundational to everything we build.

Encryption at Rest

All social media OAuth tokens and platform credentials are encrypted using AES-256-GCM before storage. Each token is individually encrypted with authenticated encryption, preventing tampering or unauthorized reads even in the event of a database breach.

Encryption in Transit

Every connection to OpenPost uses TLS 1.2 or higher. This applies to browser sessions, API calls, and our backend communication with social media platforms. We enforce HTTPS on all endpoints with no exceptions.

Data Isolation

Each workspace's data is isolated through row-level security policies at the database level. Even if application logic were bypassed, the database itself enforces that one workspace cannot read another's data. Service-role access is restricted to backend operations only.

Credential Handling

API keys are stored as SHA-256 hashes — we never persist plaintext keys. OAuth tokens for third-party apps are hashed the same way. When you generate a key, it is shown exactly once and cannot be retrieved afterward.

Infrastructure

OpenPost runs on Vercel's edge network for the application layer, Supabase (hosted PostgreSQL) for the database, and Cloudflare R2 for media storage. Each provider maintains SOC 2 compliance and implements their own layered security controls.

Access Controls

Internal access to production systems follows the principle of least privilege. Database credentials are rotated regularly and stored in environment variables, never in source code. We use separate service accounts for different operational contexts.

Responsible Disclosure

If you discover a security vulnerability in OpenPost, we want to hear about it. We appreciate responsible disclosure and will work with you to understand and address the issue quickly.

Please report vulnerabilities to security@openpost.so. Include a description of the issue, steps to reproduce, and any relevant technical details.

We ask that you give us reasonable time to investigate and patch the issue before any public disclosure. We will not take legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.

How We Handle Platform Data

When you connect a social media account to OpenPost, we receive OAuth tokens (or equivalent session credentials) that allow us to publish content and retrieve analytics on your behalf. Here is exactly what happens with that data:

  • Tokens are encrypted immediately upon receipt, before being written to the database.
  • Tokens are decrypted only at the moment of use — when publishing a post or pulling analytics — and are never logged or cached in plaintext.
  • Tokens are scoped to the minimum permissions required. We do not request access to private messages, contact lists, or personal browsing data.
  • When you disconnect an account, the encrypted tokens are deleted from our database immediately.
  • If a platform notifies us of a deauthorization (for example, Meta's data deletion callback), we process the removal automatically.

Incident Response

In the event of a security incident that affects your data, we will:

  • Investigate and contain the issue as quickly as possible.
  • Notify affected users within 72 hours of confirming a breach, as required by GDPR.
  • Provide a clear description of what happened, what data was affected, and what steps we are taking.
  • Report to relevant supervisory authorities when legally required.

Questions

For security-related questions or concerns, contact security@openpost.so.