Security at ReachPilot

All data at rest is encrypted using AES-256-GCM, including OAuth tokens, user data, and analytics. Platform access tokens receive an additional layer of application-level encryption before storage.

All data in transit is protected with TLS 1.3. We enforce HSTS headers and certificate pinning on all API endpoints. Internal service-to-service communication uses mutual TLS.

All platform integrations use OAuth 2.0 with PKCE (Proof Key for Code Exchange) to prevent authorization code interception attacks. We request minimal permissions — only what's required for publishing, scheduling, and analytics.

OAuth tokens are encrypted at rest and rotated automatically when platforms support refresh tokens. You can revoke any platform connection instantly from your dashboard, which immediately invalidates all stored tokens.

ReachPilot runs on Vercel and AWS infrastructure with automatic scaling, DDoS protection, and geographic redundancy. Our database layer uses encrypted connections with row-level security.

We are actively working toward SOC 2 Type II certification. Our infrastructure follows the principle of least privilege, with automated security scanning on every deployment.

GDPR: ReachPilot complies with the General Data Protection Regulation. EU users can exercise their rights to access, rectification, erasure, data portability, and restriction of processing. We maintain records of processing activities and have designated a data protection contact.

Australian Privacy Act: As an Australian-built platform, ReachPilot complies with the Australian Privacy Principles (APPs). We maintain a transparent privacy policy, collect only necessary personal information, and provide access and correction mechanisms.

CCPA: California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. ReachPilot does not sell personal data.

User data is primarily stored in US-based data centers with Vercel and AWS. For users subject to data residency requirements, we support data processing agreements (DPAs) that outline cross-border transfer safeguards.

International data transfers are protected using Standard Contractual Clauses (SCCs) where applicable. Contact us for a copy of our DPA or for specific data residency questions.