Security

• Hosting: Our application runs on Vercel's edge network with automatic TLS/SSL encryption for all traffic
• Database: Data is stored in Google Firebase (Firestore) with encryption at rest and in transit
• Environment: All secrets and API keys are stored in encrypted environment variables, never in source code

• OAuth 2.0: All platform connections (Shopify, YouTube, TikTok, Twitter/X, Meta) use OAuth 2.0 with PKCE where supported
• Token encryption: All OAuth tokens are encrypted at rest using AES-256-GCM before storage
• Session validation: Shopify session tokens are verified using HMAC-SHA256 signature validation
• CSRF protection: State parameters and cookie validation protect all OAuth flows

• Rate limiting: Public endpoints are rate-limited to prevent abuse
• Webhook verification: All incoming Shopify webhooks are verified using HMAC-SHA256 signatures
• CORS: Cross-origin requests are restricted to our application domain only
• Input validation: All user inputs are validated and sanitized before processing

Every response from our servers includes:

• Strict-Transport-Security (HSTS) with preload
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Content-Security-Policy
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy restricting camera, microphone, and geolocation

• Access tokens are never exposed to the client/browser
• Error messages are sanitized to prevent information disclosure
• Debug endpoints are disabled in production
• Firestore security rules enforce strict access control

• We comply with Shopify's mandatory GDPR webhooks (customer data requests, customer redaction, shop redaction)
• Store data is deleted within 48 hours of app uninstallation
• We do not sell, share, or transfer personal data to third parties for marketing purposes

If you discover a security vulnerability, please report it responsibly by emailing security@socialoptics.ai. We will investigate all reports and respond within 48 hours.