


We use essential cookies to keep you signed in and improve your experience. Cookie Policy
We take the protection of your data seriously. Here's how we keep everything secure.
Encrypted in Transit
All API traffic
File Encryption
Uploads encrypted
Least-Privilege
Role-based access
Bug Bounty
Responsible disclosure
PostgreSQL
Connection pooling
CORS Restricted
Own domains only
Email Verification Enforcement
VerifiedEmail verification is sent automatically on registration and is required before accessing sensitive account features. Login is blocked until the email is verified when enforcement is enabled.
2FA Requires Verified Email
VerifiedTwo-factor authentication can only be enabled after email verification. This prevents account takeover via 2FA lockout on unverified accounts.
Unverified Account Cleanup
AutomatedAccounts that remain unverified beyond the configured TTL (default 30 days) are automatically and permanently deleted by the background worker. This limits exposure from abandoned registrations.
Security Headers
VerifiedAll critical headers active: X-Frame-Options (DENY), X-Content-Type-Options (nosniff), HSTS (preload), Referrer-Policy, Permissions-Policy (camera/mic/geo blocked), and nonce-based Content-Security-Policy.
XSS & CSRF Protection
VerifiedAll inputs validated and sanitized server-side. SameSite cookies and CORS origin restrictions prevent CSRF. Nonce-based CSP blocks unauthorized inline scripts.
Rate Limiting by Tier
VerifiedRate limits are enforced per API tier with daily and burst caps. Rate limit state is distributed across workers for consistent enforcement.
No Secrets Exposed
VerifiedAPI keys hashed server-side (shown once at creation). Environment variables never leaked to client. Sensitive paths blocked from public access.
JWT Authentication
VerifiedSession tokens with bounded lifetime. Bearer token or X-API-Key accepted per request. Passwords are bcrypt-hashed — never stored in plaintext.
CORS & SSRF Protection
VerifiedCORS restricted to our own domains only. SSRF protection blocks requests to internal, private, and cloud metadata networks.
Secure Infrastructure
VerifiedHosted on secure cloud infrastructure with encryption in transit and at rest, SSL certs auto-renewed. PostgreSQL with connection pooling.
Error Monitoring
VerifiedError monitoring service integrated for immediate tracking. No sensitive data (passwords, tokens, PII) included in error reports.
Data Privacy
CompliantGDPR and CCPA compliant. No personal data sold or shared. Minimal data collection policy. Data deletion available under GDPR Article 17.
Our platform is hosted on industry-standard cloud infrastructure with the following protections in place:
Payments are processed entirely by PayPal. We never receive, transmit, or store card details or banking information. All payment data flows directly between you and PayPal over their encrypted infrastructure.
We receive only a transaction confirmation (order ID, status, amount) after a successful payment.
Every dataset download is logged with the timestamp, dataset details, and authenticated user account. This serves two purposes:
Download logs are retained for 12 months. They are never shared with third parties except as required for payment disputes or by law. See our Privacy Policy for details.
Each user can only access datasets they have downloaded. Access tokens are scoped per user and per dataset — there is no way to access another user's data through the API. Subscription access is revoked immediately upon cancellation or refund.
We take security vulnerabilities seriously. If you discover a security issue in our platform, please report it to us privately before disclosing it publicly.
To report a vulnerability: email info@socialintel.io with a description of the issue and steps to reproduce it. We will acknowledge your report within 48 hours and aim to resolve confirmed issues within 14 days.
We ask that you do not access, modify, or delete any user data beyond what is necessary to demonstrate the vulnerability. We will not take legal action against researchers who follow these guidelines.
In the event of a security incident affecting user data, we will notify affected users by email within 72 hours of becoming aware of the breach. Notifications will include the nature of the incident, data involved, and steps we have taken to contain it.
For security-related enquiries or to report a vulnerability: info@socialintel.io
For privacy-related requests (data access, deletion, correction): privacy@socialintel.io
For general privacy questions, see our Privacy Policy or Data Deletion page.