Encryption
- AES-256-GCM at rest, on every disk, every backup
- TLS 1.3 in transit, with HSTS preloaded and PFS
- Per-tenant keys rotated quarterly via AWS KMS
- Customer-managed keys (BYOK) on Enterprise plan
Manager.Social is the system of record for thousands of marketing teams. We treat that responsibility the way a bank treats deposits — with engineering rigor, independent audits, and zero shortcuts. Encryption everywhere, access only to those who need it, and a public posture you can verify.
Defense in depth, applied to every layer of the stack. From the disk your data lives on to the tab you open it in — each layer hardened, monitored, and independently verified.
Encrypted in transit (TLS 1.3) the moment it leaves your browser. Validated, sanitized, rate-limited at the edge.
Workers run in isolated VPCs, no public network. Memory wiped between jobs. Secrets via short-lived IAM roles only.
Encrypted at rest with per-tenant keys. Stored only in your chosen region. Backups encrypted with separate key hierarchy.
Every read passes RBAC + audit log. SSO-enforced sessions. Zero-trust internal — even our engineers can't see your data without an approved break-glass ticket.
We run on hardened AWS accounts in three geographic regions. You pick yours at signup and we never copy your data outside it — not for backups, not for analytics, not for ML training. Period.
Every primary database is multi-AZ with synchronous replicas. We snapshot hourly, retain point-in-time recovery for 30 days, and run quarterly disaster-recovery drills with documented RPO of 5 minutes and RTO of 1 hour.
Click any badge for the latest audit report, attestation letter, or DPA. Nothing here is on the honor system.
Audited annually by Prescient Assurance against the Trust Services Criteria (Security, Availability, Confidentiality). Latest report: November 2025.
Information Security Management System certified by Schellman. Surveillance audits annually, full recertification every three years. Cert no. IS-887421.
EU-based data residency, Standard Contractual Clauses on file, DPIA template available. EU representative: VeraSafe Ireland Ltd.
Business Associate Agreements available on Enterprise plans. Administrative, physical, and technical safeguards aligned with 45 CFR §164.
We don't store card data — payments tokenize through Stripe. Manager.Social itself is Level 1 attested for the payment processing environments we touch.
California residents can request data access, deletion, and opt-out via in-app controls or privacy@manager.social. We do not sell personal information.
In the AWS region you choose at signup — US (us-east-1), EU (eu-west-1), or APAC (ap-southeast-1). Your data, including backups and logs, never crosses that boundary. Region is locked at the workspace level and only changeable via a written request and a controlled migration.
By default, no one. Customer support agents see only what you've explicitly shared in a ticket. Engineers cannot access production data without an approved break-glass ticket signed by two security officers — every such access is logged, time-boxed, and reviewed weekly.
No. Our AI features either run on customer-isolated inference endpoints or call OpenAI/Anthropic with zero-data-retention agreements. We never use your content to train shared models. This is contractual, not a promise — it's in your DPA.
You get a 30-day window to export everything in standard formats (CSV, JSON, full database dump for Enterprise). After that, we delete your data within 90 days from primary storage and within 180 days from backups. You receive a signed Certificate of Destruction on request.
Yes — on the Enterprise plan. We support customer-managed keys via AWS KMS in your own AWS account. You can rotate, audit, or revoke at any time; revocation immediately renders your data unreadable to us.
We follow a documented incident response runbook with defined severity levels and customer notification SLAs. For any incident affecting customer data, you'll receive a direct email and in-app banner within 24 hours, followed by a public post-mortem within 14 days.
Yes. SAML 2.0 SSO with Okta, Azure AD, Google Workspace, JumpCloud, OneLogin, and any SAML-compliant IdP. SCIM 2.0 for automated user provisioning and deprovisioning. Both are included on Business and Enterprise plans, no upcharge.
Our Trust Center (linked above) hosts the live SOC 2, ISO 27001, and pen-test summaries. For deeper review we provide standard questionnaires (CAIQ, SIG Lite) and will meet with your team under NDA. Email security@manager.social to start.
Our security team responds to every inbound — typically within one business day. For sensitive disclosures, use our PGP key (fingerprint below).