Security, Privacy & GDPR Compliance

Your Data Safety Is Not an Afterthought

When you connect your messaging accounts to an AI assistant, you are trusting that service with some of your most sensitive information — private conversations, business contacts, professional relationships. At SuperSocial, we believe that trust has to be earned through transparency, not marketing promises.

This guide explains exactly how we protect your data, where it is stored, who can access it, and what rights you have over it. No vague assurances, no hand-waving — just the facts about how our security and privacy practices work.

Hosted in the EU, Stays in the EU

All SuperSocial infrastructure runs in Frankfurt, Germany on Fly.io. Your messages, account connections, and personal information are processed and stored entirely within the European Union. Data never leaves EU borders — not for processing, not for backups, not for analytics.

Backups are encrypted and stored in Google Cloud Storage in the europe-west3 region (Frankfurt), so even your backup data remains on European soil. This is not a regional option you have to enable — it is the default and only configuration.

GDPR Compliant by Design

SuperSocial is built from the ground up to comply with the General Data Protection Regulation (GDPR). This is not a checkbox we added later — it shaped our architecture from day one. Here is what that means in practice:

• Data minimization — we only collect and store what is strictly necessary to provide the service. No tracking pixels, no behavioral profiling, no hidden data collection.
• Purpose limitation — your data is used exclusively to deliver the messaging features you signed up for. We do not repurpose it for advertising, analytics products, or AI training.
• Right to erasure — you can delete all your data at any time from your dashboard. When you delete, we delete. No 90-day retention windows, no "anonymized" copies kept indefinitely.
• Data portability — your data belongs to you. You can disconnect any account or remove your entire profile whenever you choose.
• No data selling — we do not sell, share, or provide your data to third parties. Period.

Passwordless Authentication

SuperSocial uses magic link authentication — a passwordless login system. When you sign in, we send a secure, time-limited link to your email address. Click the link and you are in. No passwords to create, remember, or accidentally reuse across services.

This approach eliminates an entire category of security risks. There are no passwords in our database that could be leaked in a breach. There is no password reset flow that could be exploited by an attacker. Your email inbox becomes your authentication factor, which is already protected by your email provider's security.

Every token we generate — whether it is a magic link, an access token, or a refresh token — is SHA-256 hashed before storage. Even if someone gained access to our database, they would find only irreversible hashes, not usable tokens.

How Your Platform Connections Stay Secure

When you connect LinkedIn, WhatsApp, Instagram, or any other platform to SuperSocial, the connection happens through OAuth authentication flows. This means you sign in directly with the platform — we never see, handle, or store your platform passwords.

The credentials we receive from these connections are encrypted at rest. If you ever want to revoke access, simply disconnect the account from your SuperSocial dashboard. The connection is severed immediately and the stored credentials are removed.

MCP Client Security

When your AI assistant connects to the SuperSocial MCP server, the connection is secured with OAuth 2.0 with PKCE (Proof Key for Code Exchange). PKCE is the current industry best practice for securing authorization flows, preventing interception attacks even on less secure environments.

All communication between your AI client and our MCP server happens over HTTPS. There is no option to connect over unencrypted channels — we enforce encrypted transport everywhere, with no exceptions.

Session and Access Controls

Security is about more than just encryption. Here is how we handle access and sessions:

• Server-side session invalidation — when you log out, your session is terminated on our servers immediately. There are no lingering sessions that could be hijacked.
• Rate limiting — authentication endpoints are rate-limited to prevent brute-force attacks and abuse. You will not notice this during normal use, but it stops automated attacks in their tracks.
• CSRF protection — cross-site request forgery protection is enabled across the application, preventing malicious websites from making unauthorized requests on your behalf.
• Admin access controls — administrative access is restricted to an email-based whitelist. There are no shared admin passwords or generic admin accounts.

Webhook and Integration Security

SuperSocial receives real-time updates from connected platforms through webhooks. Every incoming webhook is validated using secret-based verification to confirm it genuinely originated from the expected platform.

Our webhook system operates on a fail-closed principle in production. If a webhook cannot be verified, it is rejected. We do not process unverified data — it is better to miss an update than to accept a forged one.

Tenant Isolation

Every SuperSocial user's data is fully isolated. Your messages, connections, and settings are completely separated from every other user. There are no shared data pools, no cross-user caches, and no way for one user's queries to return another user's data.

This isolation is enforced at the application level on every single database query. It is not something that depends on users being on separate servers or plans — it is a fundamental part of how the system works for everyone.

Your Rights and Controls

We believe you should always be in control of your data. Here is what you can do at any time from your SuperSocial dashboard:

• Disconnect any account — instantly revoke SuperSocial's access to any connected messaging platform.
• Delete all your data — remove your entire account and all associated data with a single action.
• Review connected accounts — see exactly which platforms are connected and manage each one individually.

You do not need to email support or file a request. These controls are self-service, available immediately, and take effect the moment you use them.

Questions About Security?

If you have specific questions about how we handle your data, our security practices, or GDPR compliance, we are happy to answer them. Reach out to us at [email protected] and we will get back to you promptly.