Enterprise-grade security, by default
Manager.Social handles your most sensitive marketing data and the OAuth credentials for every connected platform — Google, Meta, and more. We protect all of it with multiple overlapping layers of security so you can focus on growth, not risk.
Security Architecture
Every layer of the stack — from passwords to tokens to API secrets — is hardened with industry-standard cryptographic controls.
AES-256-GCM Encryption
All sensitive data — including OAuth tokens for connected platforms such as Meta and Google — is encrypted at rest using AES-256-GCM, the gold standard for symmetric encryption.
TLS / HTTPS
All data transmitted between your browser and our servers is protected with TLS encryption. Unencrypted connections are rejected — no exceptions.
Argon2id Password Hashing
User passwords are never stored in plain text. We use Argon2id — the winner of the Password Hashing Competition — which is resistant to GPU, ASIC, and side-channel attacks.
RS256 JWT Authentication
Session tokens are signed with RSA-256 asymmetric keys, enabling stateless, cryptographically verifiable authentication without shared secrets.
TOTP Two-Factor Authentication
Accounts can enable TOTP-based 2FA via any standard authenticator app (Google Authenticator, Authy, 1Password, etc.), adding a second layer of protection beyond passwords.
Role-Based Access Control
Every team member has granular permissions scoped per module. Company Admins control exactly which features each member can access — nothing more, nothing less.
Data Protection
Multi-Tenant Isolation
Every database query is scoped by companyId and deletedAt at the repository layer. There is no code path through which one company can read or modify another company's data — isolation is structural, not procedural.
Encrypted OAuth Credentials
OAuth tokens for connected platforms — Google Search Console, Google Analytics 4, Meta Ads, and others — are encrypted with AES-256-GCM before being written to the database. Keys are never logged or exposed in API responses.
Append-Only Audit Logging
All significant state changes — logins, data modifications, permission changes — are recorded in an append-only audit log. Entries cannot be edited or deleted, providing a tamper-evident trail for compliance and incident investigation.
Soft-Delete Architecture
Records are never hard-deleted by user action. Soft deletion via deletedAt timestamps prevents accidental permanent data loss and allows recovery windows before data is purged from storage.
Infrastructure
Our infrastructure is designed with defense-in-depth: each component is hardened independently so a compromise in one layer does not cascade to others.
PostgreSQL 16
Encrypted connections enforced for all client sessions. Row-level data is further protected by application-layer AES-256-GCM for secrets.
Dedicated Redis Instances
Cache and background-job queues run on separate Redis instances, limiting blast radius and preventing queue poisoning from cache operations.
Private Object Storage
Files and assets are stored in MinIO S3-compatible private buckets. Objects are not publicly accessible without explicit, short-lived pre-signed URLs.
Encrypted API Secrets
All third-party API keys (DataForSEO, Google Ads, Meta Ads, AI providers) are stored encrypted in the database and masked in all API responses — only the last four characters are ever displayed.
Compliance & Privacy
We believe privacy is a right, not a checkbox. Every data practice is designed to give you full control over your information.
GDPR Data Rights
Access, rectify, erase, and port your data at any time. We honour all GDPR subject access rights and respond within the statutory deadlines.
Data Export
Download a full copy of your account data in standard formats directly from the account settings — no support ticket required.
Account Deletion
Request full removal of your account and all associated data. No hidden retention periods, no silent archiving.
Privacy Policy
Our Privacy Policy provides a comprehensive, plain-language explanation of every data practice — what we collect, why, and how long we keep it.
Your data security is our priority
Every account starts with enterprise-grade security enabled by default — no configuration required.
Get Started Free