01Authentication
Passwords are hashed with bcrypt (12 rounds). Google sign-in is delegated to Google OAuth 2.0 — we never see your Google password. Session tokens are stored as HTTP-only cookies (Google Auth) or short-lived JWTs (email/password).
02Data at rest
MongoDB is hosted on a managed service with encryption at rest. OAuth tokens are additionally encrypted with a per-installation Fernet key before being written to the database.
03Data in transit
All traffic between your browser and SociGrab is served over TLS 1.2+.
04Media storage
Uploaded media is stored in Emergent's Object Storage. Raw upload files are auto-deleted after successful publish; only thumbnails and metadata are retained.
05Reporting a vulnerability
Email security@socigrab.com. We acknowledge reports within 48 hours.