Security & Compliance
Protecting your data is our top priority. Learn about our security practices and compliance commitments.
Last updated: January 7, 2026
Security Overview
SocialCRM implements comprehensive security measures to protect your data and ensure the integrity of our platform. Our security program is designed around industry best practices and regulatory requirements.
Data Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
Infrastructure Security
Hosted on SOC 2 Type II certified infrastructure with 24/7 monitoring and DDoS protection.
Access Controls
Role-based access control (RBAC), multi-factor authentication, and audit logging.
Database Security
Row-level security (RLS) ensures complete data isolation between tenants.
Technical Security Measures
Application Security
- Secure Authentication: Passwords are hashed using bcrypt with appropriate work factors. Sessions are managed using secure JWT tokens with appropriate expiration.
- Input Validation: All user inputs are validated and sanitized to prevent injection attacks (SQL, XSS, etc.).
- HTTPS Everywhere: All communications are encrypted using TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced.
- Content Security Policy: Strict CSP headers prevent cross-site scripting and data injection attacks.
- Dependency Management: Regular security audits of dependencies with automated vulnerability scanning.
Infrastructure Security
- Cloud Security: Hosted on enterprise-grade cloud infrastructure with physical security, network isolation, and redundancy.
- Network Security: Web application firewall (WAF), DDoS protection, and network segmentation.
- Monitoring: 24/7 security monitoring, intrusion detection, and automated alerting.
- Backup & Recovery: Regular automated backups with point-in-time recovery capabilities.
- Disaster Recovery: Multi-region deployment with failover capabilities.
Operational Security
- Access Control: Principle of least privilege for all system access. Regular access reviews.
- Audit Logging: Comprehensive logging of security-relevant events with tamper-evident storage.
- Incident Response: Documented incident response procedures with defined escalation paths.
- Security Training: Regular security awareness training for all employees.
- Vendor Assessment: Security assessment of all third-party vendors and subprocessors.
Compliance Certifications & Frameworks
We are committed to meeting the compliance requirements of our enterprise customers. Below is our current compliance status:
| Framework | Status | Description |
|---|---|---|
| GDPR | Compliant | Full compliance with EU General Data Protection Regulation including data subject rights and lawful processing. |
| CCPA/CPRA | Compliant | Compliant with California Consumer Privacy Act and California Privacy Rights Act requirements. |
| SOC 2 Type II | Planned | On roadmap for 2026. Currently leverage SOC 2 Type II certified infrastructure providers (Supabase, Vercel, Google Cloud). |
| ISO 27001 | Roadmap | ISO 27001 certification is on our security roadmap for enterprise customers. |
Data Protection
Data Residency
By default, customer data is stored in data centers located in the United States. Enterprise customers may request data residency in specific regions subject to availability.
Data Retention
We retain customer data for the duration of the subscription plus 30 days after account deletion. Detailed retention policies are available in our Privacy Policy.
Data Deletion
Customers can request data deletion at any time. Upon account termination, customer data is deleted within 30 days, with backups purged within 90 days.
Data Processing Agreement
Enterprise customers can request a Data Processing Agreement (DPA) that provides additional contractual commitments for GDPR compliance. View our standard Data Processing Agreement.
Subprocessors
We use the following third-party subprocessors to provide our services. All subprocessors are bound by data processing agreements and are required to maintain appropriate security measures.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database and Authentication | United States |
| Vercel | Application Hosting | United States |
| Google Cloud Platform | Storage and Infrastructure | United States |
| Stripe | Payment Processing | United States |
| Resend | Email Services | United States |
| OpenAI | AI Monitoring Services | United States |
| Anthropic | AI Monitoring Services | United States |
| AI Monitoring Services (Gemini) | United States |
We will notify enterprise customers of any changes to subprocessors with at least 30 days' notice.
Responsible Disclosure
We take security vulnerabilities seriously. If you believe you have discovered a security vulnerability in our services, please report it to us responsibly.
Reporting a Vulnerability
Please send vulnerability reports to security@socialcrm.com. Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any proof-of-concept code (if applicable)
Our Commitment
- We will acknowledge receipt of your report within 48 hours
- We will provide an initial assessment within 5 business days
- We will keep you informed of our progress
- We will not take legal action against researchers who follow responsible disclosure practices
Note: Please do not publicly disclose vulnerabilities until we have had an opportunity to address them. We request at least 90 days to remediate issues before public disclosure.
Security Contact
For security-related inquiries, compliance documentation requests, or to report a security concern:
Enterprise customers with active subscriptions can request security documentation including SOC 2 Type II reports from our infrastructure providers, penetration test summaries, and security questionnaire responses.