Data Security

1. Transport & Communication Security

• HTTPS / TLS: All communication between the platform and your browser is encrypted via HTTPS. HTTP connections are automatically redirected to HTTPS.
• HSTS (HTTP Strict Transport Security): HSTS headers are enforced, instructing browsers to always use secure connections.
• Security Headers: The following headers are active across the platform:
  • X-Frame-Options: DENY (prevents clickjacking)
  • X-Content-Type-Options: nosniff
  • X-XSS-Protection: 1; mode=block
  • Content-Security-Policy: frame-ancestors 'none'
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy (camera, microphone, geolocation disabled)

2. Authentication & Access Control

2.1. User Authentication

• Password Hashing:User passwords are hashed using Better-Auth's default hashing algorithm and are never stored in plain text.
• Minimum Password Length: 8 characters minimum is enforced at the application level.
• Email Verification: Email verification via OTP is required before account activation.
• Session Management: Cookie-based sessions with 7-day TTL and 5-minute cache interval.
• Rate Limiting: Login attempts are rate-limited (10 requests per 60-second window).
• Bot Protection: Cloudflare Turnstile is integrated to prevent automated attacks.

2.2. Admin Panel Security

• Two-Factor Authentication (2FA): TOTP-based 2FA is mandatory for admin access. TOTP secrets are encrypted with AES before storage.
• Session Restrictions: Admin sessions have an 8-hour TTL and 30-minute idle timeout.
• Brute Force Protection: Admin login is locked after 5 failed attempts for 15 minutes (Redis-based rate limiting).
• Audit Logging: All admin actions (user management, configuration changes, impersonation) are recorded in a dedicated audit log.

2.3. Role-Based Access Control (RBAC)

• Four workspace roles: Owner, Admin, Editor, Viewer
• Editors can be restricted to specific social accounts within a workspace.
• Each role has distinct permissions for content creation, publishing, account management, and settings.

3. Data Encryption & Protection

• RSA-2048 OAEP: Billing and payment data submitted from the client is encrypted with RSA-2048 OAEP (SHA-256) before processing.
• AES Encryption: TOTP secret keys for admin 2FA are encrypted with AES before storage.
• Payment Processing:Payment transactions are processed through İyzico's PCI DSS compliant infrastructure. We do not store credit card numbers.
• Media Files: User media files are stored on Cloudflare R2 and accessed via time-limited signed URLs.

4. Infrastructure & Service Providers

• Application Hosting: Railway (cloud platform)
• Database: PostgreSQL with Prisma ORM
• Cache & Queue: Upstash Redis and QStash
• Media Storage: Cloudflare R2
• CDN & Edge Security: Cloudflare
• Email: Resend (transactional emails)
• Payments: İyzico (PCI DSS compliant)

5. Webhook & Background Job Security

• QStash Signature Verification: All incoming webhooks from QStash are verified using cryptographic signature validation.
• Idempotency Locks: Redis-based idempotency keys prevent duplicate processing of the same job.
• Webhook Deduplication: Social platform webhooks are deduplicated using Redis to prevent processing the same event multiple times.

6. GDPR & KVKK Compliance

• Processing of personal data in compliance with KVKK (Law No. 6698) and GDPR requirements.
• Data subject rights (access, rectification, erasure, portability, objection) can be exercised by contacting [email protected]
• 72-hour breach notification commitment to the relevant authority (KVKK Board / GDPR Supervisory Authority).
• Account and data deletion requests are processed within 30 days. See our Data Deletion page for details.

7. Contact

For questions or concerns about data security:

• General support: [email protected]
• GDPR/KVKK inquiries: [email protected]