Encryption at rest
AES-256 on managed Postgres and Cloudflare R2 object storage. Backups are encrypted with the same controls.
Defence-in-depth controls across application, infrastructure, and operations. We treat every connected account as if it were our own.
Last updated · May 13, 2026
Amelytic is a system of record for your brand voice. The controls below describe how we keep your brand, your audience data, and your channel connections safe.
AES-256 on managed Postgres and Cloudflare R2 object storage. Backups are encrypted with the same controls.
TLS 1.3 everywhere, HSTS preload-list submission, strict CSP with no unsafe-eval and nonced inline scripts.
Per-row data keys wrap each channel token (envelope encryption). Data keys are themselves wrapped by a master KEK rotated quarterly.
Argon2id hashes only. JWT bearer auth with 24h sliding window. WebAuthn 2FA on the v1.1 roadmap.
Eight built-in roles, application-layer authorization, and Postgres row-level security on every workspace-scoped table — belt and braces.
Every approval decision, channel connection, and admin action is logged with the actor, the agent_run_id where relevant, and a signed timestamp.
Render (US/EU) with private networking between API + workers + Postgres. Daily encrypted backups, 30-day retention, quarterly restore drill.
Dependencies scanned daily by Dependabot, SAST on every pull request, third-party packages pinned and reviewed before merge.
Audit underway with attestation targeting Q4 2026. Subprocessor list and DPA published.
Found something? We’d rather hear from you. Email security@amelytic.com with reproduction steps and the impact you observed.
We commit to acknowledge within 24 hours and triage within 72. We do not pursue legal action for good-faith research.