Security & Compliance

• In transit. All connections use TLS 1.2 or higher with modern cipher suites. HSTS is enabled on the website.
• At rest. Databases, object storage, and backups are encrypted using AES-256 or equivalent.
• Secrets. OAuth tokens, API keys, and other secrets are encrypted at the application layer using a managed key-management service. Secrets are never logged.

PostBolt runs on managed cloud infrastructure in the European Union. Production services run in private networks; only the load balancer is exposed to the public internet. We use redundant zones, automated failover, daily backups, and a documented disaster-recovery plan.

• Mandatory peer code review for all changes to production code.
• Automated dependency-vulnerability scanning on every build.
• Static analysis and secret scanning in CI.
• Security headers: Content Security Policy, Strict-Transport-Security, X-Frame-Options, Referrer-Policy, Permissions-Policy.
• Input validation, output encoding, parameterised queries.
• Rate limiting and abuse detection on authentication and publishing endpoints.

• Customer accounts. Salted password hashing (Argon2 or bcrypt with high work factor), optional two-factor authentication, session expiry, suspicious-login alerts.
• Internal access. MFA enforced for all engineers with access to production; SSO with audit logs; principle of least privilege; periodic access reviews.

• Centralised application and infrastructure logs.
• Tamper-evident retention for security-relevant logs.
• Alerting on anomalous activity (failed logins, privilege changes, unusual API patterns).

We maintain a documented incident-response plan covering detection, triage, containment, eradication, recovery, and post-mortem. We commit to notifying affected customers without undue delay and within 72 hours when a Personal Data Breach is confirmed, in line with GDPR Article 33.

To report a vulnerability or suspected incident, email support@postbolt.org. We follow a coordinated-disclosure approach: please give us reasonable time to investigate and remediate before public disclosure.

• GDPR / UK GDPR / Swiss FADP. We act as data controller for account data and as data processor for content the Customer publishes. See the Privacy Policy and DPA.
• CCPA / CPRA. California residents have additional rights — see Do Not Sell or Share My Personal Information.
• Ukrainian Law on Personal Data Protection. PostBolt complies with the Ukrainian Law "On Personal Data Protection" as the operating entity is based in Ukraine.

We assess each subprocessor's security posture before onboarding and require contractual data-protection obligations. The current subprocessor list is in Schedule 2 of the DPA.

• Choose a strong, unique password and enable two-factor authentication.
• Keep your access credentials confidential.
• Promptly disconnect compromised social-media accounts and revoke exposed tokens.
• Report suspicious activity to support@postbolt.org.

• Security reports / coordinated disclosure: support@postbolt.org
• General security questions: support@postbolt.org