Security & trust

Repping.AI handles creator content, connected social accounts, publishing actions, and billing workflows. This page summarizes the safeguards we can describe from the current product, privacy policy, terms, and codebase.

Account and session protection

Authentication is backed by Firebase-issued identity, Repping session cookies, token-version checks for revocation, and CSRF protection on browser-based state-changing requests.

Connected social account data

OAuth tokens and integration credentials are encrypted at rest with AES-256-GCM envelope encryption. Tokens are decrypted only when needed to publish, refresh, or read data for a connected account.

Data minimization

The privacy policy states that Repping does not sell personal data, does not run third-party advertising, and uses sub-processors for specific functions such as hosting, storage, billing, email, analytics, error monitoring, and background jobs.

Operational controls

Mutating routes use CSRF checks or explicit non-cookie authentication, public endpoints are rate-limited, payment webhooks use provider signatures, and state-changing product workflows record audit events where implemented.

Verified details from our policies

  • TLS 1.2+ for transport, bcrypt password hashing, and JWT sessions with short rotation windows are documented in the privacy policy.
  • Google and YouTube user data is used only for user-facing YouTube features and follows Google's Limited Use requirements.
  • Payments are handled by Polar as merchant of record, so Repping never sees full card numbers.
  • Error monitoring uses Sentry with request bodies and known PII stripped before sending, according to the privacy policy.
  • Users can export account data and request account deletion from account settings, with retention rules documented in the privacy policy.

Connected platforms and third parties

Repping publishes only to platforms you connect and only sends the content you ask us to publish. Platform handling is governed by each platform’s own terms and privacy policy. Current sub-processors are listed in the privacy policy, including MongoDB Atlas, Cloudflare R2, Polar, Firebase Authentication, Resend, PostHog, Sentry, Trigger.dev, Vercel, and the social platforms you connect.

Not claimed yet

Security pages from larger tools often include trust badges, compliance reports, public status pages, and dedicated report channels. Repping should add those only when the implementation and maintenance process exist.

  • No public SOC 2, ISO 27001, HIPAA, GDPR certification badge, or security-audit badge is claimed on this page.
  • No formal uptime SLA or public status page is claimed until there is a source we can link and maintain.
  • No paid bug bounty program is claimed; security reports should go through the contact route for now.
  • No enterprise DPA or procurement portal is claimed as self-serve until the legal and operational process exists.
Read termsRead privacy policySee pricingStart free trial