ReelFlow · Security

Security

Effective as of June 15, 2026. This page describes the technical and operational controls that ReelFlow applies to protect customer data and third-party connections.

1. Encryption

• In transit: TLS 1.3 on all communications (client ↔ application, application ↔ external APIs, application ↔ database).
• At rest: database encrypted with AES-256 (Supabase + AWS). YouTube, Facebook, and Google Drive OAuth tokens are additionally encrypted at the application level before persistence — the encryption key is stored in a separate secrets manager.
• Media storage: Supabase Storage and AWS S3 with server-side encryption.

2. OAuth token management

• Access tokens and refresh tokens from external providers are encrypted immediately upon receipt. They are never logged in plain text and never leave production environments.
• Expired or revoked tokens are removed from active systems in less than 24 hours via the fb-token-canary cron and equivalent processes.
• Permissions requested from each provider (Facebook Graph, YouTube Data API, Google Drive) are scoped to the minimum necessary to deliver the engaged service. See details in our Privacy Policy.

3. Access control

• Production access restricted to the operator. Two-factor authentication (2FA) mandatory for administrators.
• Tenant isolation via Row-Level Security (RLS) at the database. One customer can never read another customer’s data.
• Full audit trail: every operation on tokens, publishing, deletion, or configuration change is timestamped with actor and outcome.

4. Infrastructure

• Compute: Vercel Fluid Compute (Next.js + serverless functions), US-East/US-West regions.
• Database: Supabase Postgres (AES-256 at rest, encrypted daily backups, 30-day retention).
• Orchestration: Inngest (event-driven jobs with automatic retries, per-step observability, dead-letter queue).
• Media storage: Supabase Storage + AWS S3 (processing cache).
• AI providers: Google (Gemini), OpenAI (fallback). AI calls do NOT train models on customer content (opt-out enabled with all providers).

5. Monitoring and incident response

• Multi-tier alerting system (P0–P3) that notifies the operator via Telegram, email, and SMS based on severity.
• Health agents (fb-token-canary, reelflow-doctor, pipeline-watchdog,connection-health-agent) running every 5–30 minutes to detect downed tokens, failed publishings, usage anomalies, etc.
• Incident response: notification to affected customer within 24 hours of discovering an incident that compromises their data.

6. Responsible vulnerability disclosure

If you detect a vulnerability in ReelFlow, write to hello@reelflowmedia.com with the details. We ask that you:

• Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
• Do not exfiltrate, modify, or destroy data.
• Give us a reasonable timeframe (minimum 90 days) to remediate before public disclosure.

We confirm receipt within 48 business hours. We publicly acknowledge reporters in a Hall of Fame (with their consent) and, depending on impact, offer monetary reward.

7. Compliance and certifications

ReelFlow operates following principles and controls aligned with SOC 2 Type II. We are not formally certified at this time, but we maintain the following documented controls:

• Access management policy.
• Data retention and deletion policy.
• Incident response procedures.
• Periodic security and dependency reviews.
• Encrypted backups with monthly restore tests.

8. Subprocessors

The full list of providers we share data with is documented in our Privacy Policy, section 4.