Security & Compliance

Amelytic runs on managed cloud infrastructure with automatic scaling, redundancy, and failover. All production services operate in isolated environments with network-level segmentation between tenants.

We leverage managed databases with automated backups, point-in-time recovery, and replication to ensure data durability and availability.

All data in transit is encrypted using TLS 1.2 or higher. This applies to every connection between your browser and Amelytic, between our internal services, and between Amelytic and third-party platforms.

Data at rest — including uploaded media, generated content, campaign data, and backups — is encrypted using AES-256 encryption.

Our infrastructure is designed for high availability with automated health checks, rolling deployments, and zero-downtime updates. Database backups are performed daily with point-in-time recovery capability.

We monitor all services 24/7 with automated alerting for latency spikes, error rate increases, and resource exhaustion.

User authentication is handled via industry-standard protocols. Passwords are hashed using bcrypt with per-user salts — we never store plaintext credentials.

OAuth 2.0 tokens for connected platforms (Meta, LinkedIn, X, YouTube) are encrypted at rest and scoped to the minimum permissions required. Tokens can be revoked at any time from your dashboard or directly on the connected platform.

Internal access to production systems follows the principle of least privilege. All administrative actions are logged with immutable audit trails.

Each brand workspace operates with strict data isolation. API requests are authenticated and scoped to the requesting organization — there is no cross-tenant data access.

Generated content, uploaded media, campaign calendars, and analytics data are logically separated per brand at the database and storage layer.

All API endpoints require authentication. Rate limiting is enforced per-user and per-endpoint to prevent abuse and protect shared infrastructure.

Input validation and sanitization are applied to all user-supplied data. We use parameterized queries to prevent SQL injection and context-aware escaping to prevent XSS.

Account information (name, email, organization), workspace data (campaigns, generated content, uploaded media), OAuth tokens for connected platforms, and aggregated usage telemetry.

We do not store passwords for connected social networks. We do not scrape or monitor personal profiles. We do not sell or share customer data with third parties for advertising.

Customer data is retained for the duration of an active subscription. Upon account cancellation, we initiate data deletion within 30 days, with backup copies purged within 90 days.

You can request immediate deletion of specific data (uploaded media, generated content, connected platform tokens) at any time by contacting info@amelytic.com. Platform tokens can also be revoked directly from your dashboard.

Amelytic uses large language models (LLMs) for campaign planning, content generation, and image creation. Your brand data is sent to these models only at the time of generation and is not used to train third-party AI models.

Generated content (text, images, calendars) is stored in your workspace and belongs to you. We do not use customer-generated content to train our own models or share it with other customers.

Amelytic processes personal data in accordance with the General Data Protection Regulation. We act as a data processor on behalf of our customers (data controllers) for workspace and campaign data.

Data subjects may exercise their rights (access, rectification, erasure, portability, restriction, objection) by contacting their organization or by reaching out to us at info@amelytic.com. We respond to verified requests within 30 days.

For international data transfers, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

We provide a Data Processing Agreement (DPA) to customers on request. The DPA covers processing scope, sub-processor disclosures, breach notification obligations, and data subject rights handling.

To request a DPA, contact info@amelytic.com.

For California residents, Amelytic complies with the California Consumer Privacy Act. We do not sell personal information. Consumers may request disclosure of collected data, deletion, and opt-out of any future sale.

As a company incorporated in India, Amelytic complies with the Information Technology Act, 2000 and its associated rules. We are preparing for compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) as its provisions come into effect.

Reasonable security practices and procedures as defined under IT Act Rule 8 are implemented across our infrastructure and application layers.