Security & Compliance
1. Executive Summary
Section titled “1. Executive Summary”Sociable AI implements a security framework by leveraging industry-standard security practices and compliant third-party providers. Our security approach prioritizes minimal data storage, secure token management, and responsible data handling across all our services. We adhere to platform policies through regular external audits.
2. Service Provider Compliance
Section titled “2. Service Provider Compliance”Provider | Used For | Provider’s Compliance/Certifications | Security Features We Leverage |
---|---|---|---|
Google Cloud Platform | Infrastructure, BigQuery, Pub/Sub | SOC 1/2/3, ISO 27001, GDPR | Infrastructure security, DDoS protection, encryption |
AWS | Infrastructure components | SOC 1/2/3, ISO 27001, GDPR | Network security, infrastructure protection |
Vercel | Frontend hosting | SOC 2, GDPR compliance | Edge security, CDN protection, HTTPS enforcement |
Clerk | User authentication | SOC 2 Type 2, GDPR, CCPA | Identity management, MFA, JWT security |
Supabase | Database | SOC 2 Type 1, GDPR compliance | Row-level security, data encryption |
Stripe | Payment processing | PCI DSS Level 1 | Secure payment processing, tokenization |
OpenAI | AI/LLM services | SOC 2 | API security, model isolation |
Meta/Instagram | API integration | SOC 2, GDPR | OAuth security, rate limiting, quarterly platform audits |
3. Data Flow Architecture
Section titled “3. Data Flow Architecture”Data Access Flow
Section titled “Data Access Flow”- Authentication: Clerk handles user authentication without us storing credentials
- Social Media Integration: Only access tokens are stored, not underlying content
- Messaging: Messages processed through GCP’s secure Pub/Sub channels with minimal retention, inheriting Google Cloud’s enterprise-grade security practices and encryption standards
4. Data Access Matrix
Section titled “4. Data Access Matrix”Data Category | What We Store | Access Control | Retention Period | Security Measures |
---|---|---|---|---|
User authentication data | Managed by Clerk | Clerk’s security system | Managed by Clerk | Encrypted at rest by Clerk |
Social media tokens | OAuth access tokens only | System only, no direct human access | Until revoked or account deletion | Encrypted at rest |
Messages | Conversation history for automation | User, automation systems | Account lifetime (user deletable) | Encrypted at rest |
Automation settings | User-defined rules, preferences | User, relevant systems | Account lifetime | Encrypted at rest |
Payment information | Transaction IDs only | Billing system | 7 years (regulatory) | Handled by Stripe (PCI-compliant) |
5. Encryption and Protection Measures
Section titled “5. Encryption and Protection Measures”Data Encryption
Section titled “Data Encryption”- In Transit: All communications secured via TLS 1.2+
- At Rest: All user data encrypted in Supabase and other storage systems
- Authentication Tokens: Encrypted before storage
- API Keys: Secured using environment variables and secret management
User Authentication Security (Clerk)
Section titled “User Authentication Security (Clerk)”- Passwordless authentication options
- Multi-factor authentication
- JWT-based session management
- User authentication events monitoring
- OAuth social login security
Access Controls
Section titled “Access Controls”- Role-based access control for internal systems
- Least privilege principle implemented
- Multi-factor authentication required for admin access
6. Incident Response Plan
Section titled “6. Incident Response Plan”Detection
Section titled “Detection”- Real-time monitoring via GCP Monitoring
- Error tracking via Sentry
- Automated alerts for suspicious activities through Google Cloud Security Command Center, AWS CloudWatch, Vercel Analytics, Sentry, Supabase Security Monitoring, and PostHog
Response Procedures
Section titled “Response Procedures”- Containment: Isolate affected systems
- Assessment: Determine scope and impact
- Remediation: Apply fixes and security patches
- Recovery: Restore systems to normal operation
- Post-incident: Review and improvement
Communication Protocol
Section titled “Communication Protocol”- Internal notification within 1 hour of detection
- Client notification within 24 hours for data breaches
- Regulatory reporting as required by law
7. Security Controls and Measures
Section titled “7. Security Controls and Measures”Data Minimization
Section titled “Data Minimization”- Authentication handled by Clerk, limiting our exposure to sensitive credentials
- Only storing access tokens, not underlying social media content
- No storage of social media post data beyond what’s needed for functionality
- Clear data boundaries between systems
Authentication Security
Section titled “Authentication Security”- Clerk-managed authentication system
- OAuth 2.0 for social media integrations
- Secure token management
- Session timeout enforcement
Monitoring and Logging
Section titled “Monitoring and Logging”- Centralized logging systems
- Activity auditing
- Regular security reviews
8. Compliance Considerations
Section titled “8. Compliance Considerations”Platform Compliance
Section titled “Platform Compliance”- Meta/Instagram: We regularly undergo platform audits for our integration to ensure adherence to platform policies
Privacy Considerations
Section titled “Privacy Considerations”- GDPR Principles: We apply data minimization principles and provide mechanisms for data access and deletion
- CCPA Principles: We honor user data control and deletion rights where applicable
- Best Practices: We leverage certified third-party providers and follow security best practices
9. Third-Party Data Handling
Section titled “9. Third-Party Data Handling”- No persistent storage of third-party platform content
- Message data retained only for functional requirements
- Clear boundaries between automation processing and data storage
- Adherence to Meta’s platform terms and data usage requirements
This document represents our current security posture and is subject to regular review and updates as our systems and security practices evolve.