Trust

Security.

Defence-in-depth controls across application, infrastructure, and operations. We treat every connected account as if it were our own.

Last updated · May 13, 2026

Amelytic is a system of record for your brand voice. The controls below describe how we keep your brand, your audience data, and your channel connections safe.

Encryption at rest

AES-256 on managed Postgres and Cloudflare R2 object storage. Backups are encrypted with the same controls.

TLS in transit

TLS 1.3 everywhere, HSTS preload-list submission, strict CSP with no unsafe-eval and nonced inline scripts.

OAuth tokens encrypted

Per-row data keys wrap each channel token (envelope encryption). Data keys are themselves wrapped by a master KEK rotated quarterly.

No plaintext passwords

Argon2id hashes only. JWT bearer auth with 24h sliding window. WebAuthn 2FA on the v1.1 roadmap.

RBAC + RLS

Eight built-in roles, application-layer authorization, and Postgres row-level security on every workspace-scoped table — belt and braces.

Audit log

Every approval decision, channel connection, and admin action is logged with the actor, the agent_run_id where relevant, and a signed timestamp.

Hardened infrastructure

Render (US/EU) with private networking between API + workers + Postgres. Daily encrypted backups, 30-day retention, quarterly restore drill.

Supply-chain hygiene

Dependencies scanned daily by Dependabot, SAST on every pull request, third-party packages pinned and reviewed before merge.

SOC 2 Type II

Audit underway with attestation targeting Q4 2026. Subprocessor list and DPA published.

Compliance
  • GDPR — data subject requests honoured within 30 days; subprocessor list public.
  • DPDP Act 2023 (India) — consent model + data principal rights honoured.
  • CCPA — do-not-sell respected.
  • SOC 2 Type II audit underway, targeting Q4 2026 attestation.
Responsible disclosure

Found something? We’d rather hear from you. Email security@amelytic.com with reproduction steps and the impact you observed.

We commit to acknowledge within 24 hours and triage within 72. We do not pursue legal action for good-faith research.