The architecture, not the marketing.
Safety is the first principle, not a bullet point. This page describes the technical controls in place around your account, your credentials, and the audience graph the engine builds for you.
Encryption
- In transit — all client and server-to-server traffic is encrypted with TLS 1.3. We enforce HSTS with a one-year max-age and pre-load.
- At rest — all databases, file storage, and backups are encrypted with AES-256. Disk-level encryption is provided by our cloud provider; application-layer encryption sits on top for sensitive fields.
- Credential vault — Instagram access tokens are encrypted with a key derived per-account via PBKDF2. The master key is held in a hardware security module that no human operator can read.
Network & infrastructure
- Primary infrastructure hosted in the EU on a Tier-IV provider with SOC 2 Type II and ISO 27001 certifications.
- Region-pinned egress for engagement actions — every action originates from an IP in your account's home region to avoid suspicious travel patterns.
- WAF and DDoS protection at the edge.
- No public administrative interfaces. Staff access only via VPN with mandatory hardware-key 2FA.
Access control
- Principle of least privilege: every engineer has the minimum scope required to do their job.
- Production database access is read-only by default. Write access requires a peer-approved, time-bound elevation ticket.
- Every privileged command is audit-logged with operator identity, timestamp, command, and target.
- Mandatory password manager. Mandatory 2FA on every staff service. Quarterly access reviews.
Application security
- All endpoints rate-limited at the edge and at the application layer.
- CSRF tokens on every state-changing form. Same-site cookies. Content-Security-Policy headers locked down to first-party.
- Input validated at boundary and escaped at render time.
- Dependency scanning runs on every commit; critical CVEs are patched within 72 hours.
Testing & assurance
- External penetration test conducted annually by an independent firm. Executive summaries available under NDA to enterprise customers.
- Continuous automated security testing in CI: SAST, secret scanning, dependency checks.
- Internal red-team exercises twice a year.
Bug bounty
We run a private bug bounty program. If you find a vulnerability, email security@growyoursocials.xyz with reproduction steps. We acknowledge within 24 hours, triage within 72, and pay between $100 and $10,000 depending on severity. We commit to safe harbor for good-faith research: we will not pursue legal action against researchers who follow our disclosure policy.
Incident response
We maintain a written incident-response runbook. In the event of a confirmed breach affecting customer data:
- The on-call engineer pages the incident commander within 15 minutes.
- Affected customers are notified by email within 72 hours of confirmation, per GDPR Article 33.
- A public post-mortem is published within 14 days, with a timeline, root cause, remediation, and follow-up actions.
Data residency
All customer operational data is stored in the EU. Backups are encrypted and replicated across two EU regions. Billing data may transit through our payment processor's U.S. infrastructure; this transfer is governed by Standard Contractual Clauses.
Compliance
- GDPR & UK GDPR compliant. Data Processing Agreement available on request.
- CCPA/CPRA compliant for our California-based users.
- SOC 2 Type II audit in preparation — target completion 2026.
For your part
Security is a shared model. Help us by:
- Enabling 2FA on your growyoursocials account (default-on for paid plans).
- Using a unique, password-manager-generated password.
- Reviewing dashboard activity logs periodically.
- Reporting anything suspicious immediately to security@growyoursocials.xyz.