postkeet / security
v1.2 · 2026
security · updated jan 12, 2026

Your accounts are
our whole job.

Postkeet holds OAuth tokens for your social accounts. We treat them like the keys they are — encrypted at rest, rotated on schedule, revocable in one click. Here's the full picture.

✓ 99.98% uptime (trailing 90 days) TLS 1.3 · AES-256 at rest SOC 2 Type II — in progress
S

SOC 2 Type II

in audit · q2 2026

Type I complete oct 2025. Drata observation window now underway with our auditor.

G

GDPR

compliant

EU data residency on request. DPA available. Rights of access, deletion, portability, honored in 30 days.

C

CCPA & CPRA

compliant

California residents can request or delete data anytime. Opt-out of sale — moot; we don't sell.

H

HIPAA

n/a · not applicable

Postkeet isn't intended for PHI. Don't use it that way — we don't sign BAAs.

live status · last 30 days

What's happening right now.

All systems normal

API, scheduler, publishing pipelines, analytics, and mobile sync are all healthy. Last incident: 11 days ago (brief X API rate-limit, 14 minutes). No user data was affected.

30 days · each bar = 1 day · green = normal
Right now
Publish success rate (24h)99.97%
Median publish latency1.8s
API p95 response92ms
Posts scheduled (24h)184k
Active incidents0
the three pillars

How we keep everything in.

01 — identity

Who can touch your account.

  • OAuth-only social connections. We never ask for, store, or transmit platform passwords.
  • SSO via Google, Apple, Microsoft. Password auth uses bcrypt + per-user salt.
  • 2FA available on all plans · required for Studio workspace owners.
  • Session tokens rotate every 24 hours. Fingerprint changes trigger re-auth.
  • Role-based access on Studio — admin, editor, approver, viewer; scoped per workspace.
02 — data

How we store what's yours.

  • TLS 1.3 in transit. AES-256 at rest, including backups.
  • OAuth tokens encrypted with a per-workspace key in AWS KMS. Compromise of one doesn't leak the others.
  • Your content is never training data — your drafts, voice samples, and DMs stay yours, full stop. Contractually binding in the DPA.
  • 30-day retention on deleted items, then cryptographic erasure. See data deletion.
  • EU residency on request for Studio customers — Frankfurt region, eu-central-1.
03 — operations

How the team actually works.

  • Least privilege for all engineers. Production access is time-boxed and audited.
  • Mandatory code review on every merge. No emergency overrides in 2025.
  • Quarterly penetration tests by an independent firm · reports available under NDA.
  • Annual DR drills — full region failover rehearsed Q4 each year.
  • Secrets rotated every 90 days. Laptops encrypted, MDM-managed, wiped on offboarding.
incident log · trailing 6 months

What's gone wrong and how we fixed it.

jan 08, 2026
X API rate-limit elevation delayed some tweets · postmortem published same day
14 min
minor
dec 14, 2025
Scheduler worker lag during a traffic spike · auto-scaling threshold adjusted
22 min
minor
nov 02, 2025
Meta Graph API outage caused IG publish failures · queued & retried after restore
2h 14m
upstream
oct 19, 2025
Analytics dashboard partial outage · cache layer restarted
38 min
minor
sep 26, 2025
Mobile app sync delay after v3.2 push · hotfix released in 90 min
1h 10m
minor
aug 03, 2025
Brief DB failover during a planned maintenance window · within SLO
4 min
maintenance

Full history at status.postkeet.studio · RSS · Slack webhook on request

subprocessors

Every vendor that touches any of your data.

AWS
infra · us-east-1, eu-central-1
Compute, DB, object storage. SOC 2, ISO 27001, FedRAMP.
since 2023
Cloudflare
edge · CDN & WAF
Edge caching, DDoS protection, WAF. All data proxied through encrypted tunnels.
since 2023
Stripe
payments
Card storage, billing, tax. We never see your card number.
since 2024
Postmark
transactional email
Password resets, digest emails, alerts. Email content only, no content data.
since 2024
Linear
internal · issue tracking
Used by our team only. Doesn't touch customer data.
since 2023
Anthropic
ai · inference
Caption generation via zero-retention API. Your content is not used for training.
since 2024
Sentry
error monitoring
Self-hosted in our own AWS. PII scrubbed before ingestion.
since 2023
Drata
compliance monitoring
Continuous SOC 2 controls monitoring. Metadata only.
since 2024

Changes to this list are emailed to account owners 30 days before they take effect.

responsible disclosure

Find something broken? We'll pay you.

Our bug bounty has been open since April 2024. We respond to valid reports within 24 hours, patch within 7 days for high-severity, and pay on confirmation — not on "maybe."

Email security@postkeet.studio · PGP key available on request.

Report a vulnerability Hall of Fame
critical$5,000
high$2,500
medium$800
low$200
your side of the deal

Five things you should turn on.

01 — 2FA
Settings → Security → Two-factor auth. Authenticator app or hardware key. Takes 60 seconds. the single most impactful thing.
02 — role scope
If you invite a freelancer, give them the minimum role. "Editor" for drafters, "Approver" for clients. Don't share admin.
03 — session review
Settings → Security → Active sessions. Revoke anything you don't recognize. We surface new-country logins on the dashboard too.
04 — token health
When a platform asks for re-auth, don't dismiss — an expired token means nothing publishes. We email you three times before it lapses.
05 — workspace owners
Make sure your workspace has two owners. If one leaves the company without handing off, you're locked out. Studio prompts you on setup.
security FAQ

The questions we get most.

If my Postkeet account is breached, can the attacker post as me?

They'd still need to bypass 2FA if you have it on — which is why we nag you. Even then, an attacker with login access can draft but not auto-publish without also passing an approval step (if you enabled it). OAuth tokens are encrypted with keys the attacker's session can't derive.

What happens to my data if Postkeet shuts down?

We'd give 90 days' notice, provide one-click export of everything you've put in, and open-source the scheduling engine. We're profitable and don't expect to shut down — but we'd rather tell you the plan up front.

Do employees read my content?

Only if you ask us to (e.g. a support ticket about a specific post). Engineers have no standing access to content. Support access is time-boxed, logged, and requires you to approve it in-app.

Do you use my posts to train AI?

No. Your brand voice model is per-account and isolated. Inference runs through zero-retention APIs. This is binding in our DPA.

Where can I get a copy of your SOC 2 / DPA / pen test?

Email security@postkeet.studio. We send SOC 2 Type I, DPA, and our most recent pen test summary under mutual NDA. Turnaround is typically same-day.

Security is a feature.
Not a line item.

Questions we didn't answer? Mail security@postkeet.studio and we'll reply in one business day.

Email our security team Read the privacy policy