Security
Your tokens. Your data.
Encrypted.
Hardened defaults so you do not have to think about them. Same posture for every plan, no security tier upsell.
Three principles
What we lock down
and how.
Encrypted at rest
Every OAuth token, app password and bot token is wrapped in AES-256-GCM before it touches the database. Records are tagged with an `enc:v1:` prefix so a future key rotation is a one-line migration, not a re-architecture.
OAuth state signed
Threads and LinkedIn OAuth callbacks carry an HMAC-signed state with a 10-minute TTL. Account-linking CSRF cannot happen because forged callbacks fail signature verification before they are even decoded.
Quiet by default
No third-party analytics, no advertising pixels, no session replay, no behavioural fingerprinting. The only data we collect is what you actively give us when you sign up and post.
Deep dive
How we store
your data.
OAuth tokens, app passwords and bot tokens are encrypted with AES-256-GCM using a 32-byte server-side key. We never store the plaintext anywhere on disk. Database backups inherit the same protection because the ciphertext is what gets dumped.
Compliance
Where we stand.
GDPR
CompliantCCPA
CompliantSOC 2
In progressISO 27001
PlannedFound a vulnerability?
Reach us privately at the address below. Average first response is under 24 hours. Researchers acting in good faith are credited on this page.
hello@unison.ink