Last updated: February 1, 2026

Security Practices

PostMonk takes the security of your data seriously. This page describes the technical and organizational measures we implement to protect your information and the social media accounts you connect to our platform.

1. Infrastructure Security

  • Cloud hosting: PostMonk is hosted on Google Cloud Platform (GCP), which maintains SOC 1, SOC 2, SOC 3, and ISO 27001 certifications
  • Geographic redundancy: Data is replicated across multiple availability zones to ensure high availability
  • Network security: All traffic passes through cloud load balancers with DDoS protection and Web Application Firewall (WAF) rules
  • Isolation: Production, staging, and development environments are fully isolated

2. Data Encryption

  • In transit: All data transmitted between your browser and PostMonk is encrypted using TLS 1.3. We enforce HSTS (HTTP Strict Transport Security) to prevent downgrade attacks
  • At rest: All data at rest is encrypted using AES-256. Social media OAuth tokens receive an additional layer of application-level encryption using AES-256-GCM with per-token unique keys
  • Backup encryption: All backup data is encrypted using Google Cloud's default encryption with customer-managed encryption keys (CMEK)

3. Authentication and Access Control

  • Multi-factor authentication: MFA is available for all accounts and required for admin-level users
  • SSO support: Enterprise plans support Single Sign-On via SAML 2.0 and OpenID Connect
  • Session management: Sessions expire after a configurable inactivity period. Concurrent sessions are limited and logged
  • Role-based access: PostMonk supports granular role-based access control (RBAC) with Owner, Admin, Editor, and Viewer roles
  • API keys: API keys use scoped permissions and can be rotated or revoked at any time

4. OAuth Token Security

When you connect social media accounts, PostMonk uses OAuth 2.0 (the industry standard) to receive authorized access tokens. We handle these tokens with care:

  • Tokens are encrypted with AES-256-GCM before being stored
  • We request only the minimum scopes (permissions) necessary for each platform integration
  • Tokens are refreshed automatically and old tokens are invalidated
  • Tokens are immediately deleted when you disconnect a social account
  • We never store social media account passwords — we only store OAuth tokens issued by the platform

5. Application Security

  • Secure development lifecycle: All code changes undergo peer review and automated security testing before deployment
  • Dependency scanning: We use automated tools to scan for known vulnerabilities in third-party libraries
  • OWASP Top 10: Our application is designed to mitigate the OWASP Top 10 web application security risks, including injection, XSS, CSRF, and authentication vulnerabilities
  • Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks
  • Input validation: All user inputs are validated and sanitized on both client and server side

6. Monitoring and Incident Response

  • 24/7 monitoring: Automated systems monitor for security events, performance anomalies, and unauthorized access attempts
  • Audit logging: All administrative actions, authentication events, and data access are logged and retained
  • Incident response: We maintain a documented incident response plan. Critical security incidents are investigated and resolved within 24 hours, with affected users notified promptly
  • Vulnerability disclosure: We maintain a responsible disclosure policy. Security researchers can report vulnerabilities to [email protected]

7. Employee Access

  • Access to production systems is restricted to authorized personnel on a need-to-know basis
  • All employees undergo background checks and security awareness training
  • Employee access is audited regularly and revoked immediately upon departure
  • We use privileged access management (PAM) for sensitive systems

8. Compliance

PostMonk is committed to meeting the following compliance standards:

  • GDPR: We comply with the General Data Protection Regulation for EU/EEA users
  • CCPA: We comply with the California Consumer Privacy Act for California residents
  • Meta Platform Terms: We comply with Meta's Developer Policies and Platform Terms
  • X Developer Agreement: We comply with the X (Twitter) Developer Agreement and Policy
  • LinkedIn API Terms: We comply with LinkedIn's API Terms of Use
  • TikTok Developer Terms: We comply with TikTok's Developer Terms of Service
  • Google API Services User Data Policy: We comply with Google's requirements for YouTube API access

9. Data Backup and Recovery

  • Automated daily backups with point-in-time recovery capability
  • Backups are encrypted and stored in a separate geographic region
  • Disaster recovery procedures are tested quarterly
  • Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour

10. Contact

If you have security concerns, need to report a vulnerability, or have questions about our security practices: