Data in transit
All traffic between your browser, the marketing site, and the app is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enabled with a two-year max-age and `includeSubDomains` so browsers refuse to downgrade. We do not accept plaintext HTTP connections.
Data at rest
Uploaded video Content and generated Output (VTT, AD script, MP3) are stored in a private Supabase storage bucket and encrypted at rest using AES-256. Database records (account, job metadata, billing references) are encrypted at rest by the underlying managed Postgres provider.
Access control
- Customer access: Supabase Auth with Row-Level Security (RLS) enforced at the database layer — a user's session can only read or modify rows owned by that user.
- Personnel access: Production access is restricted to a need-to-know basis. Multi-factor authentication is required for all administrative accounts. We do not routinely view customer Content; access is limited to resolving a technical failure, an explicit support request, or a legal obligation.
- Credentials: User passwords are hashed with bcrypt by Supabase Auth. They are never stored or logged in plaintext.
Retention & automatic deletion
Uploaded video files and Output files are automatically deleted 30 days after the associated Processing Job completes. Job metadata (job ID, status, timestamps) is retained for up to 12 months for billing and audit purposes. Account information is retained for the life of the account. Full retention schedule is in the Privacy Policy §7.
Sub-processors
Post Slate uses the following sub-processors to deliver the Service. The complete table — including data categories transferred and training opt-out status for each — lives in the Privacy Policy §5.
- Supabase — database, authentication, file storage
- Vercel — application hosting and CDN
- Stripe — payment processing
- Trigger.dev — background job orchestration
- Deepgram — speech-to-text (training opt-out enabled)
- Anthropic — language model for AD script generation
- ElevenLabs — text-to-speech for MP3 voiceover (training opt-out enabled)
- Twelve Labs — multimodal video analysis (no standard opt-out; enterprise restricted-data agreements available)
- Sentry — error monitoring; video content excluded from error reports
Vulnerability reporting
If you discover a security vulnerability, please report it to hello@postslate.com with subject [SECURITY]. We will acknowledge within 48 hours. We do not currently run a paid bug bounty, but we will credit researchers in our public disclosure if requested.
Please do not publicly disclose a vulnerability before we've had a reasonable window to investigate and ship a fix. We commit to working in good faith with reporters who operate under coordinated disclosure norms.
Compliance roadmap
- SOC 2 Type II: on the roadmap. We have not yet engaged an auditor; we will update this page when an engagement begins.
- GDPR / CCPA / CPRA: Data Processing Addendum (DPA) with Standard Contractual Clauses available on request. See /dpa.
- HIPAA: Post Slate is not currently HIPAA-eligible. Do not upload protected health information without a separately executed Business Associate Agreement.
Breach notification
In the event of a confirmed data breach affecting your personal information or Content, we will notify affected customers as required by applicable law and, in any case, within 72 hours of discovery if the breach is likely to result in a risk to your rights or interests.