← Back

Security

Last updated: May 13, 2026

This page describes the security program Rowstr FZ-LLC operates to protect customer data and the Service. It is a summary, not an exhaustive specification, and is updated as our program evolves. For customer-specific contractual commitments, see our Terms of Service and Data Processing Agreement.

1. Encryption

  • In transit. All traffic between you and the Service uses TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on the production domain.
  • At rest. Customer-uploaded media is stored on encrypted object storage. Database storage and snapshots are encrypted at rest by the underlying managed provider. Sensitive integration tokens (for example, Instagram tokens, 2FA secrets and backup codes) are additionally encrypted at the application layer using authenticated encryption with keys held outside the application image.
  • Key management. Encryption keys are managed by our managed-service providers and our secrets-management platform. Application secrets are injected at runtime and never committed to source control.

2. Authentication and access control

  • Sign-in is handled by a hardened authentication library that uses industry-standard session, CSRF, and cookie protections.
  • Two-factor authentication (2FA) is available to every user and recommended for administrators. Authenticator-app TOTP and one-time backup codes are supported.
  • Sign-in can use a magic link or password. Passwords are hashed with a modern memory-hard hash function.
  • Role-based access control within an organization: owner, admin, manager, virtual assistant, and model. Every server mutation is authorized server-side, scoped to the caller's organization, and enforced regardless of UI state.
  • Internal access to production data follows the principle of least privilege and is logged. Production access requires SSO with 2FA.

3. Application security

  • Server-side input validation on every endpoint using strongly typed schemas.
  • ORM-mediated database access with parameterized queries to prevent SQL injection.
  • Cross-site scripting protections through framework auto-escaping, conservative content security policies, and a sanitized rich-text pipeline.
  • Tenant isolation enforced on every read and write — all queries are scoped to the caller's organization via server-side checks.
  • Server-rendered authorization on file proxies: media served from object storage is gated through an authenticated proxy that checks the requester's membership and role before serving bytes.

4. Infrastructure

  • The Service runs on managed cloud infrastructure with provider-maintained physical security, redundancy, and patching posture.
  • We use multi-region deployments for the production application tier and a managed Postgres database with point-in-time recovery.
  • Media is stored on Cloudflare R2 with origin lifecycle rules and server-side encryption.

5. Backups and disaster recovery

  • Database point-in-time recovery is enabled, with a recovery window sufficient to restore from a recent point following data loss or corruption.
  • Object-storage versioning protects against accidental deletion.
  • Recovery objectives are reviewed periodically: target Recovery Time Objective (RTO) and Recovery Point Objective (RPO) appropriate to a B2B SaaS, with the latest measured values recorded internally.

6. Logging and monitoring

  • Application and access logs are captured, with retention as described in the Privacy Policy.
  • Server errors are reported to an error-tracking service (PostHog) and reviewed regularly.
  • Anomalous activity (failed sign-ins, abuse patterns, rate-limit breaches) is monitored and throttled.

7. Vulnerability management

  • Dependencies are pinned by lockfile and updated on a regular cadence; security advisories on direct dependencies are reviewed on publication.
  • We perform internal security reviews of new features that touch authentication, billing, file handling, or third-party integrations before release.
  • We do not yet hold an ISO 27001 or SOC 2 certification. Customers with formal vendor-assessment requirements can contact [email protected] for a security questionnaire response.

8. Sub-processors and shared responsibility

We use a small set of vetted sub-processors. Each is bound by a written agreement with confidentiality and security obligations equivalent to our DPA. The current list, locations, and purposes are available on written request to [email protected]. Customers retain responsibility for the security of their own credentials, endpoints, and any downstream systems they connect to the Service.

9. Incident response and breach notification

We maintain an internal incident-response runbook covering detection, containment, eradication, recovery, and lessons-learned for security incidents. Where a personal-data breach is likely to result in a risk to data subjects, we notify the competent supervisory authority and, where applicable, affected individuals without undue delay and, for breaches in scope of the GDPR, within 72 hours of becoming aware.

10. Responsible disclosure

We welcome reports of security vulnerabilities from researchers. To report a vulnerability, email [email protected] with a description, reproduction steps, and any supporting material. Please:

  • give us a reasonable period to investigate and remediate before public disclosure;
  • test only against your own accounts; do not access, modify, or delete data belonging to other customers;
  • do not perform denial-of-service, social-engineering, or physical attacks;
  • do not test against integrations belonging to third parties.

We do not currently operate a paid bug-bounty program but will acknowledge credible reports.

11. Compliance posture

  • UAE PDPL. Primary jurisdictional framework. Our Privacy Policy and DPA reflect PDPL obligations.
  • GDPR / UK GDPR. We process personal data of EEA and UK residents in compliance with the GDPR/UK GDPR, including where relevant Standard Contractual Clauses for cross-border transfers.
  • PCI DSS. Card data is handled exclusively by Stripe, a PCI Level 1 Service Provider; Rowstr does not store, process, or transmit primary account numbers.
  • Trust & safety. We act against child sexual abuse material (“CSAM”), non-consensual intimate imagery, and other prohibited content under our Acceptable Use Policy. See /terms.

12. Contact

Security: [email protected]
Privacy: [email protected]
Trust & safety: [email protected]