Security Overview

This page summarizes the security controls we can substantiate from the current application and repository.

Last updated: March 12, 2026

On this page

Controls Providers Contracts Report an issue

What this page is and is not

This is a control summary, not a certification page. It describes security-relevant behavior visible in the current codebase and public product materials. It does not claim a current SocialCRM SOC 2, ISO 27001, or similar company-level certification.

Application and platform controls

Area	What the current implementation shows
Browser and transport protection	Security headers include HSTS, Content Security Policy, frame restrictions, referrer policy, and permissions policy controls across the application.
Authentication	User sign-in is handled with NextAuth and a JWT session strategy. Password verification uses bcrypt-hashed credentials.
Data access	The application uses Supabase-backed data access and is designed around tenant-scoped access patterns, including row-level-security-aware service calls.
Abuse prevention	Rate limiting is present on sign-in, signup, password-reset, AI crawler, and public growth-analysis endpoints.
Auditability	The codebase includes audit-log utilities and records access activity for certain AI-content routes and workflow operations.

Infrastructure and external providers

These providers are directly referenced in the application or public site and may be involved depending on which features you use.

Provider	Purpose	Notes
Supabase	Database and authentication infrastructure	Core product data layer
Vercel	Application hosting and delivery	Used to serve the Next.js app
Google Cloud Storage	Static media and hosted assets	Used for public images and related files
Stripe	Billing and payment processing	Invoked for subscriptions and payment workflows
Resend	Email delivery	Used for transactional email workflows
OpenAI, Anthropic, and Google	Model providers for AI-assisted product features	Only involved when the relevant AI feature is used

Contracts and procurement support

If your team needs privacy or procurement documentation, SocialCRM publishes a standard Data Processing Agreement and keeps this security summary public.

For additional contract or questionnaire requests, contact the addresses in the contact section below so the right team can respond.

Reporting a security issue

If you believe you found a vulnerability, email security@socialcrm.com. Include:

The affected URL, route, or feature
Clear reproduction steps
Observed impact
Any logs, screenshots, or proof-of-concept material needed to understand it

Please do not access customer data, degrade service, or disclose an issue publicly before giving SocialCRM a reasonable opportunity to investigate.

Security contacts

Security: security@socialcrm.com
Legal / DPA: legal@socialcrm.com
Privacy: privacy@socialcrm.com
Developer docs: View developer documentation

← Back to Home