Security

1. Data Encryption

• In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints.
• At rest: Sensitive data — including OAuth access tokens for connected social media accounts — is encrypted at rest using AES-256.
• Passwords: User passwords are hashed using bcrypt with a high work factor. We never store plaintext passwords.
• Payment data: We do not store payment card details. All billing is processed by Stripe, a PCI DSS Level 1 certified provider.

2. Authentication and Access Control

• Session management: Authenticated sessions are managed using short-lived, cryptographically signed tokens. Sessions expire automatically after a period of inactivity.
• CSRF protection: Cross-site request forgery protection is applied to all state-changing operations.
• Role-based access: Access to workspace resources is controlled by a role system (owner, admin, member). Users can only access data within their own workspaces.
• OAuth integrations: We connect to social media platforms using official OAuth 2.0 flows. We request only the minimum permissions necessary to provide the service.
• Admin controls: Administrative functions are restricted to verified admin accounts and are not accessible from the public-facing application.

3. Infrastructure Security

• Hosting: Our backend services are hosted on Render, and our frontend is deployed on Vercel — both of which operate on hardened cloud infrastructure with network isolation and DDoS protection.
• Media storage: User-uploaded media is stored in Cloudflare R2, which provides geo-distributed, encrypted object storage.
• Database: Our databases are hosted on managed cloud infrastructure with encryption at rest, automated backups, and private networking. Direct public access to the database is disabled.
• Environment isolation: Production, staging, and development environments are fully separated. Secrets and credentials are never stored in source code.
• Dependency management: We regularly audit and update dependencies to patch known vulnerabilities.

4. Application Security

• Input validation: All user inputs are validated and sanitised on both the client and server side to prevent injection attacks.
• Rate limiting: API endpoints are rate-limited to prevent brute-force and denial-of-service attacks.
• Security headers: We apply standard HTTP security headers including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
• Audit logging: Sensitive actions (login attempts, account changes, connected account modifications) are logged for security auditing purposes.
• Third-party APIs: We interact with social media platform APIs only over HTTPS and store resulting tokens in encrypted form.

5. Protecting Your Account

There are steps you can take to keep your ChiselPost account secure:

• Use a strong, unique password that you do not reuse on other services.
• Do not share your login credentials with anyone, including team members — use the workspace invitation system instead.
• Log out of ChiselPost when using shared or public devices.
• Be alert to phishing emails. We will never ask for your password via email.
• Review connected social accounts regularly and revoke any that you no longer use.
• Contact us immediately if you suspect your account has been compromised.

6. Data Handling and Retention

We follow the principle of data minimisation — collecting only what is necessary to provide the service. When you delete your account, your personal data is deleted or anonymised within 30 days, except where we are required to retain it for legal or financial compliance purposes. See our Privacy Policy for full details.

7. Security Monitoring and Incident Response

• We monitor our systems continuously for anomalous activity, unauthorised access attempts, and infrastructure health.
• In the event of a confirmed security incident, we will notify affected users promptly, in accordance with applicable data protection laws (including UK GDPR where applicable).
• We maintain an incident response process that includes containment, investigation, remediation, and post-incident review.

8. Vulnerability Disclosure

We take security reports seriously. If you believe you have discovered a security vulnerability in ChiselPost, please disclose it to us responsibly:

• Email us at security@chiselpost.com with a description of the issue.
• Include steps to reproduce, potential impact, and any supporting evidence (screenshots, request/response logs).
• We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate it.
• We do not currently operate a formal bug bounty programme, but we do acknowledge responsible disclosure and will respond promptly.

9. Compliance

ChiselPost is operated from the United Kingdom and we are committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We review our security practices regularly and update them as the threat landscape and regulatory requirements evolve.

10. Contact

For security concerns or questions, contact us at security@chiselpost.com. For general privacy queries, see our Privacy Policy.