Security Practices

1. Employee Responsibilities

• Team members receive security and privacy training.
• Personnel are bound by confidentiality and data protection obligations.
• Access to customer data is limited to a need-to-know business basis.

1.1 Personnel onboarding and offboarding

All ScoutSocial personnel sign a confidentiality and data-protection agreement before being granted production access; complete data-protection and platform-policy training promptly after joining (normally within 30 days) and annually thereafter; and have all credentials and access rights revoked promptly on departure (normally within one business day). We log a written attestation of completed onboarding and offboarding for each individual.

2. Access Controls

Access to production systems and Customer Personal Data is limited to authorised personnel who require it for a specific support, debugging or compliance task and is subject to access controls. Multi-factor authentication is mandatory for all employee access to production systems and to administrative consoles of every sub-processor. Administrative actions taken on Customer data are recorded in a reviewable audit log (actor, action, resource, timestamp). ScoutSocial uses exactly one (1) Google Cloud API Project for its YouTube API Client; YouTube API credentials are stored in our secrets manager, are accessible only to authorised personnel under confidentiality obligations, and are never embedded in any open-source project.

2.1 OAuth token handling

Connected-Platform OAuth access and refresh tokens are stored encrypted at rest: the application database that holds them is encrypted with AES-256 envelope encryption under an AWS KMS key, and each token additionally receives an application-level authenticated-encryption wrap that is decrypted in memory only at the moment of an API call. Tokens are not exposed to the browser client and are scoped to the workspace that authorised them — never shared or pooled across workspaces or users. Tokens are decrypted only within the publishing and sync code paths; they are never logged in plaintext and are not accessible through administrative or customer-support tooling. Tokens are deleted when the user disconnects the account, leaves the workspace, or revokes ScoutSocial’s authorisation at the platform; deletion propagates to all active systems, replicas and caches within 7 days, and copies held in encrypted backups are overwritten on the standard backup-retention cycle.

3. Encryption

Encryption in transit. All ScoutSocial endpoints accept only TLS 1.2 or higher; HSTS is enabled for the production domain. Internal service-to-service traffic uses mutually authenticated TLS or runs within a private VPC. All Meta Graph API calls are HTTPS-only and include appsecret_proof where Meta requires it; OAuth tokens are never exposed to the browser client. Encryption at rest. Customer Personal Data is encrypted at rest. The application database — which holds OAuth access and refresh tokens and other Personal Data — uses AES-256 envelope encryption under an AWS KMS key; the cache layer has at-rest encryption enabled; and content media in object storage is encrypted at rest with AES-256 server-side encryption. OAuth tokens additionally receive an application-level authenticated-encryption wrap. Customer Personal Data in logs is redacted or hashed before storage where feasible.

4. Monitoring and Logging

We monitor systems for suspicious activity and maintain audit logging to support detection and investigation of security events.

5. Backup and Recovery

We perform regular backups of critical systems and maintain recovery procedures for disruptions and technical failures.

6. Secure Development

Security considerations are incorporated into development, testing, and release processes for new features and updates.

6.1 API integration discipline

ScoutSocial: (a) tracks each Connected Platform’s pinned API version against the platform’s current and deprecated versions and plans regression-tested upgrades before each pin’s deprecation deadline (Meta Graph API deprecates on a ~2-year cycle); (b) subscribes to each platform’s developer-policy and revision-history channels (YouTube Required Minimum Functionality RSS, Meta developer newsletter, LinkedIn pre-notification process, X developer changelog, TikTok developer announcements) so that integration changes propagate within each platform’s required window; (c) accesses Connected Platform APIs only through documented endpoints — undocumented APIs, scraping and reverse-engineering are prohibited.

6.2 OAuth scope minimisation

ScoutSocial requests only the OAuth scopes its current features require, requests scopes incrementally where a platform supports incremental authorization, and exercises each requested scope within 28 days to avoid Meta’s silent permission-suspension rule. Aspirational or future-proofing scope requests are not made.

6.3 Audit cooperation

ScoutSocial cooperates with all platform audits and monitoring activities. On request and within the platform’s stated timeframe we provide test accounts that exercise the current production feature surface, documentation of scopes, retention and deletion flows, and proof of compliance with the platform’s developer policies. Quota-extension requests with YouTube trigger an API Compliance Audit which we resource and respond to in full.

6.4 TikTok audit log

ScoutSocial maintains a TikTok-integration compliance audit log covering OAuth grants and refreshes, Content Posting API calls and responses, creator-info or profile retrievals, and deletion operations. The log is metadata-only (no TikTok Personal Data), is retained for at least 395 days to cover TikTok’s post-termination audit window, and is producible to TikTok on request.

6.5 YouTube credential suspension

If our YouTube API credentials are suspended, revoked or terminated, or the Google Account used to create them is suspended or terminated, ScoutSocial will cease all YouTube API access immediately and will not attempt to circumvent the suspension by creating new Google accounts, new API credentials, or new API projects.

6.6 Meta Graph API error handling

ScoutSocial’s Meta integration implements correct mapping and retry/backoff behaviour for Meta’s documented error taxonomy — including rate limits, invalid parameters, expired tokens, missing permissions, Page-compliance temporary blocks, Business-use-case limits and media-upload rule violations. Each error class triggers a distinct retry, notification or backoff pattern, and persistent errors are surfaced to the affected user via in-product alerts.

7. Incident Response

ScoutSocial maintains a documented incident-response process covering identification, containment, eradication, recovery, customer and regulator notification, and post-incident review. Customers will be notified of any Personal Data breach affecting them without undue delay and no later than 72 hours after we become aware of the breach (consistent with GDPR Art. 33). Where a breach involves Connected Platform data we additionally notify each affected platform within its required timeframe and through its required channel — including: LinkedIn — written report to security@linkedin.com within 24 hours of discovery, and no public statement until LinkedIn has granted written permission; Meta — submission via Meta’s developer incident form as soon as practicable; YouTube/Google — notification to the API Services contact form. Post-incident reports are produced and retained in accordance with our retention schedule.

8. Updates

We may update these practices over time to reflect legal requirements and improvements in security controls.

9. Vulnerability Reporting

Security researchers and Customers can report vulnerabilities to legal@scoutsocial.ai or via the disclosure contact published at /.well-known/security.txt. We aim to acknowledge reports promptly and to provide regular status updates until resolution. We follow coordinated-disclosure norms. ScoutSocial will also report third-party non-compliance with platform developer policies (e.g. a sub-processor or Customer attempting prohibited actions) back to the affected platform through its API Services contact form or equivalent.

10. General Contact

Questions about security practices: legal@scoutsocial.ai