Skip to content
Sociable AI Documentation

Security & Compliance

1. Executive Summary

Sociable AI implements a security framework by leveraging industry-standard security practices and compliant third-party providers. Our security approach prioritizes minimal data storage, secure token management, and responsible data handling across all our services. We adhere to platform policies through regular external audits.

2. Service Provider Compliance

ProviderUsed ForProvider’s Compliance/CertificationsSecurity Features We Leverage
Google Cloud PlatformInfrastructure, BigQuery, Pub/SubSOC 1/2/3, ISO 27001, GDPRInfrastructure security, DDoS protection, encryption
AWSInfrastructure componentsSOC 1/2/3, ISO 27001, GDPRNetwork security, infrastructure protection
VercelFrontend hostingSOC 2, GDPR complianceEdge security, CDN protection, HTTPS enforcement
ClerkUser authenticationSOC 2 Type 2, GDPR, CCPAIdentity management, MFA, JWT security
SupabaseDatabaseSOC 2 Type 1, GDPR complianceRow-level security, data encryption
StripePayment processingPCI DSS Level 1Secure payment processing, tokenization
OpenAIAI/LLM servicesSOC 2API security, model isolation
Meta/InstagramAPI integrationSOC 2, GDPROAuth security, rate limiting, quarterly platform audits

3. Data Flow Architecture

Data Access Flow

  • Authentication: Clerk handles user authentication without us storing credentials
  • Social Media Integration: Only access tokens are stored, not underlying content
  • Messaging: Messages processed through GCP’s secure Pub/Sub channels with minimal retention, inheriting Google Cloud’s enterprise-grade security practices and encryption standards

4. Data Access Matrix

Data CategoryWhat We StoreAccess ControlRetention PeriodSecurity Measures
User authentication dataManaged by ClerkClerk’s security systemManaged by ClerkEncrypted at rest by Clerk
Social media tokensOAuth access tokens onlySystem only, no direct human accessUntil revoked or account deletionEncrypted at rest
MessagesConversation history for automationUser, automation systemsAccount lifetime (user deletable)Encrypted at rest
Automation settingsUser-defined rules, preferencesUser, relevant systemsAccount lifetimeEncrypted at rest
Payment informationTransaction IDs onlyBilling system7 years (regulatory)Handled by Stripe (PCI-compliant)

5. Encryption and Protection Measures

Data Encryption

  • In Transit: All communications secured via TLS 1.2+
  • At Rest: All user data encrypted in Supabase and other storage systems
  • Authentication Tokens: Encrypted before storage
  • API Keys: Secured using environment variables and secret management

User Authentication Security (Clerk)

  • Passwordless authentication options
  • Multi-factor authentication
  • JWT-based session management
  • User authentication events monitoring
  • OAuth social login security

Access Controls

  • Role-based access control for internal systems
  • Least privilege principle implemented
  • Multi-factor authentication required for admin access

6. Incident Response Plan

Detection

  • Real-time monitoring via GCP Monitoring
  • Error tracking via Sentry
  • Automated alerts for suspicious activities through Google Cloud Security Command Center, AWS CloudWatch, Vercel Analytics, Sentry, Supabase Security Monitoring, and PostHog

Response Procedures

  1. Containment: Isolate affected systems
  2. Assessment: Determine scope and impact
  3. Remediation: Apply fixes and security patches
  4. Recovery: Restore systems to normal operation
  5. Post-incident: Review and improvement

Communication Protocol

  • Internal notification within 1 hour of detection
  • Client notification within 24 hours for data breaches
  • Regulatory reporting as required by law

7. Security Controls and Measures

Data Minimization

  • Authentication handled by Clerk, limiting our exposure to sensitive credentials
  • Only storing access tokens, not underlying social media content
  • No storage of social media post data beyond what’s needed for functionality
  • Clear data boundaries between systems

Authentication Security

  • Clerk-managed authentication system
  • OAuth 2.0 for social media integrations
  • Secure token management
  • Session timeout enforcement

Monitoring and Logging

  • Centralized logging systems
  • Activity auditing
  • Regular security reviews

8. Compliance Considerations

Platform Compliance

  • Meta/Instagram: We regularly undergo platform audits for our integration to ensure adherence to platform policies

Privacy Considerations

  • GDPR Principles: We apply data minimization principles and provide mechanisms for data access and deletion
  • CCPA Principles: We honor user data control and deletion rights where applicable
  • Best Practices: We leverage certified third-party providers and follow security best practices

9. Third-Party Data Handling

  • No persistent storage of third-party platform content
  • Message data retained only for functional requirements
  • Clear boundaries between automation processing and data storage
  • Adherence to Meta’s platform terms and data usage requirements

This document represents our current security posture and is subject to regular review and updates as our systems and security practices evolve.