Security
Boring on purpose.
Six things we do that we would want any vendor of ours to do. Audits and reports below.
RLS on every table
Postgres row-level security policies on every table. Org-scoped reads and writes. Service role keys never reach the browser.
Encryption at rest and in transit
AES-256 at rest via Supabase. TLS 1.3 in transit. OAuth tokens for connected platforms encrypted with libsodium sealed boxes.
Region pinning
Indian customer data in Mumbai (ap-south-1), DPDP-aligned. International in us-east-1 with eu-west-1 replica. Cross-region transfer requires audit log entry.
OAuth scopes, minimum
We request only the scopes we use: youtube.upload, instagram_content_publish, w_member_social. We never request scopes for reading your DMs or contacts.
API keys per environment
Production, staging, and development keys are separate. Pro and Studio API keys are scoped per channel. Rotation supported in-app.
Incident SOP
Sev1 paged in under 5 minutes. Customer notification within 24 hours of containment. Postmortem published at status.slipstream.video within 7 days, no blame language, root causes only.
Audits and reports
- SOC 2 Type IIn progress, target Q3 2026Vanta
- DPDP compliance attestationFiled, Mumbai jurisdictionInternal + Aparajitha
- Penetration testLast run: Apr 2026Cobalt
- Bug bountyLive, scope on /security/bountySelf-managed