Security at Social Intel

Our platform is hosted on industry-standard cloud infrastructure with the following protections in place:

• All traffic is encrypted in transit using TLS 1.2 or higher
• Sensitive data is encrypted at rest using AES-256
• Database access is restricted to application servers only — no public database endpoints
• Infrastructure is isolated using private networks and firewall rules
• Automated backups run daily with point-in-time recovery

• Passwords are hashed using bcrypt — plaintext passwords are never stored or logged
• Email verification is required before accessing sensitive account features (2FA, profile changes, password changes)
• Two-factor authentication can only be enabled after email verification
• Email changes automatically reset verification status, requiring re-verification
• API keys are hashed server-side and only shown to you once at creation
• All authenticated endpoints require a valid session token or API key per request
• Internal systems follow least-privilege access — team members only access what their role requires
• Admin access requires multi-factor authentication

Payments are processed entirely by PayPal. We never receive, transmit, or store card details or banking information. All payment data flows directly between you and PayPal over their encrypted infrastructure.

We receive only a transaction confirmation (order ID, status, amount) after a successful payment.

Every dataset download is logged with the timestamp, IP address, and authenticated user account. This serves two purposes:

• Delivery confirmation — so we can verify you received your purchase
• Fraud protection — to resolve refund disputes and chargeback claims

Download logs are retained for 12 months. They are never shared with third parties except as required for payment disputes or by law. See our Privacy Policy for details.

• All user inputs are validated and sanitised server-side
• SQL queries use parameterised statements — no raw query construction from user input
• CSRF protection is enforced on all state-changing requests
• HTTP security headers are set on all responses (CSP, HSTS, X-Frame-Options, etc.)
• Rate limiting is applied to authentication endpoints and the API to prevent brute-force attacks
• Dependencies are regularly updated and scanned for known vulnerabilities

Each user can only access datasets they have purchased. Access tokens are scoped per user and per dataset — there is no way to access another user's purchases through the API. Subscription access is revoked immediately upon cancellation or refund.

We take security vulnerabilities seriously. If you discover a security issue in our platform, please report it to us privately before disclosing it publicly.

To report a vulnerability: email info@socialintel.io with a description of the issue and steps to reproduce it. We will acknowledge your report within 48 hours and aim to resolve confirmed issues within 14 days.

We ask that you do not access, modify, or delete any user data beyond what is necessary to demonstrate the vulnerability. We will not take legal action against researchers who follow these guidelines.

In the event of a security incident affecting user data, we will notify affected users by email within 72 hours of becoming aware of the breach. Notifications will include the nature of the incident, data involved, and steps we have taken to contain it.

• API keys are hashed server-side using bcrypt and shown only once at creation
• Rate limits enforced per-tier: Free (1,000/day), Pro (10,000/day), Max (100,000/day)
• Burst rate limits per-tier: Free (10/s), Pro (50/s), Max (200/s)
• JWT tokens with configurable expiry for session management
• All API requests require valid authentication (Bearer token or X-API-Key)
• SQL queries use parameterised statements — no raw query construction from user input
• SSRF protection blocks requests to internal/private IP ranges

• Dependencies are regularly updated and scanned for known vulnerabilities
• Automated Dependabot alerts for critical CVEs
• Minimal dependency principle — only essential packages included
• All third-party integrations are audited and monitored

• Accounts that remain unverified after the configured TTL (default 30 days) are automatically purged
• Background worker runs periodic cleanup to remove stale unverified accounts
• Account deletion is available via the Settings page or GDPR data deletion request
• Deleted accounts are soft-deleted to prevent accidental data loss, with hard-delete available for admin

For security-related enquiries or to report a vulnerability: info@socialintel.io

For privacy-related requests (data access, deletion, correction): privacy@socialintel.io

For general privacy questions, see our Privacy Policy or Data Deletion page.