Skip to content
Sociable AI Documentation

Security & Compliance

1. Executive Summary

Section titled “1. Executive Summary”

Sociable AI implements a security framework by leveraging industry-standard security practices and compliant third-party providers. Our security approach prioritizes minimal data storage, secure token management, and responsible data handling across all our services. We adhere to platform policies through regular external audits.

2. Service Provider Compliance

Section titled “2. Service Provider Compliance”
ProviderUsed ForProvider’s Compliance/CertificationsSecurity Features We Leverage
Google Cloud PlatformInfrastructure, BigQuery, Pub/SubSOC 1/2/3, ISO 27001, GDPRInfrastructure security, DDoS protection, encryption
AWSInfrastructure componentsSOC 1/2/3, ISO 27001, GDPRNetwork security, infrastructure protection
VercelFrontend hostingSOC 2, GDPR complianceEdge security, CDN protection, HTTPS enforcement
ClerkUser authenticationSOC 2 Type 2, GDPR, CCPAIdentity management, MFA, JWT security
SupabaseDatabaseSOC 2 Type 1, GDPR complianceRow-level security, data encryption
StripePayment processingPCI DSS Level 1Secure payment processing, tokenization
OpenAIAI/LLM servicesSOC 2API security, model isolation
Meta/InstagramAPI integrationSOC 2, GDPROAuth security, rate limiting, quarterly platform audits

3. Data Flow Architecture

Section titled “3. Data Flow Architecture”

Data Access Flow

Section titled “Data Access Flow”
  • Authentication: Clerk handles user authentication without us storing credentials
  • Social Media Integration: Only access tokens are stored, not underlying content
  • Messaging: Messages processed through GCP’s secure Pub/Sub channels with minimal retention, inheriting Google Cloud’s enterprise-grade security practices and encryption standards

4. Data Access Matrix

Section titled “4. Data Access Matrix”
Data CategoryWhat We StoreAccess ControlRetention PeriodSecurity Measures
User authentication dataManaged by ClerkClerk’s security systemManaged by ClerkEncrypted at rest by Clerk
Social media tokensOAuth access tokens onlySystem only, no direct human accessUntil revoked or account deletionEncrypted at rest
MessagesConversation history for automationUser, automation systemsAccount lifetime (user deletable)Encrypted at rest
Automation settingsUser-defined rules, preferencesUser, relevant systemsAccount lifetimeEncrypted at rest
Payment informationTransaction IDs onlyBilling system7 years (regulatory)Handled by Stripe (PCI-compliant)

5. Encryption and Protection Measures

Section titled “5. Encryption and Protection Measures”

Data Encryption

Section titled “Data Encryption”
  • In Transit: All communications secured via TLS 1.2+
  • At Rest: All user data encrypted in Supabase and other storage systems
  • Authentication Tokens: Encrypted before storage
  • API Keys: Secured using environment variables and secret management

User Authentication Security (Clerk)

Section titled “User Authentication Security (Clerk)”
  • Passwordless authentication options
  • Multi-factor authentication
  • JWT-based session management
  • User authentication events monitoring
  • OAuth social login security

Access Controls

Section titled “Access Controls”
  • Role-based access control for internal systems
  • Least privilege principle implemented
  • Multi-factor authentication required for admin access

6. Incident Response Plan

Section titled “6. Incident Response Plan”

Detection

Section titled “Detection”
  • Real-time monitoring via GCP Monitoring
  • Error tracking via Sentry
  • Automated alerts for suspicious activities through Google Cloud Security Command Center, AWS CloudWatch, Vercel Analytics, Sentry, Supabase Security Monitoring, and PostHog

Response Procedures

Section titled “Response Procedures”
  1. Containment: Isolate affected systems
  2. Assessment: Determine scope and impact
  3. Remediation: Apply fixes and security patches
  4. Recovery: Restore systems to normal operation
  5. Post-incident: Review and improvement

Communication Protocol

Section titled “Communication Protocol”
  • Internal notification within 1 hour of detection
  • Client notification within 24 hours for data breaches
  • Regulatory reporting as required by law

7. Security Controls and Measures

Section titled “7. Security Controls and Measures”

Data Minimization

Section titled “Data Minimization”
  • Authentication handled by Clerk, limiting our exposure to sensitive credentials
  • Only storing access tokens, not underlying social media content
  • No storage of social media post data beyond what’s needed for functionality
  • Clear data boundaries between systems

Authentication Security

Section titled “Authentication Security”
  • Clerk-managed authentication system
  • OAuth 2.0 for social media integrations
  • Secure token management
  • Session timeout enforcement

Monitoring and Logging

Section titled “Monitoring and Logging”
  • Centralized logging systems
  • Activity auditing
  • Regular security reviews

8. Compliance Considerations

Section titled “8. Compliance Considerations”

Platform Compliance

Section titled “Platform Compliance”
  • Meta/Instagram: We regularly undergo platform audits for our integration to ensure adherence to platform policies

Privacy Considerations

Section titled “Privacy Considerations”
  • GDPR Principles: We apply data minimization principles and provide mechanisms for data access and deletion
  • CCPA Principles: We honor user data control and deletion rights where applicable
  • Best Practices: We leverage certified third-party providers and follow security best practices

9. Third-Party Data Handling

Section titled “9. Third-Party Data Handling”
  • No persistent storage of third-party platform content
  • Message data retained only for functional requirements
  • Clear boundaries between automation processing and data storage
  • Adherence to Meta’s platform terms and data usage requirements

This document represents our current security posture and is subject to regular review and updates as our systems and security practices evolve.