Trust

Security

Effective: April 28, 2026 · Last updated: June 7, 2026

Your finances are the most sensitive thing you’ll hand a piece of software. Here’s how we protect them.

Encryption

All traffic between your device and Post is encrypted with TLS. Your data is encrypted at rest in our database, on storage that is isolated to our infrastructure. Sensitive credentials — the access tokens that let us read from your bank, Stripe, and platform accounts — are protected with application-level encryption in addition to database-level encryption.

Isolation between creators

Every creator’s data lives in its own row-level-security boundary inside the database. A query made on behalf of one creator cannot reach another creator’s data, even if the application code has a bug. This is enforced by the database, not by us remembering to add a filter.

Access control

Administrative access to production systems is restricted to the minimum number of people required to run the service, and every such account is protected by multi-factor authentication. Service-role credentials are scoped to background jobs only and always bound to a specific organization.

You control who sees your data inside your organization. Invite your CPA or a teammate from Settings, choose a role, revoke at any time.

Audit logging

Security-relevant actions on your account — including financial mutations such as creating, editing, or deleting transactions, deals, payouts, and tax-input records — are logged with actor, target, and before-and-after state, and retained for seven years. You can view your own log from the Activity page in the app.

Payment and bank details

We never store your payment card number — Stripe handles that. We never store your bank account or routing numbers — Plaid handles the bank link and we only hold an access token that we use to fetch transactions on your behalf.

Third-party subprocessors

A small, named set of vendors helps us run the service. Each has a defined scope:

  • Supabase — database, authentication, and file storage.
  • Vercel — web application hosting.
  • Plaid — secure bank connections.
  • Stripe — creator payouts read access and our own subscription billing.
  • Anthropic — receipt parsing and transaction categorization.
  • Postmark — inbound email for receipt forwarding.
  • Resend — outbound transactional email (invites, reminders).
  • Upstash — rate-limit counters (no personal data).
  • Sentry — error tracking (stack traces, never secrets or request bodies).
  • PostHog — product analytics, consent-gated behind our cookie banner.
  • Inngest — background job scheduling.
  • Google, TikTok, Meta, Snap — platform OAuth for earnings data you choose to connect.

Adding a new subprocessor requires a purpose statement and a changelog entry in our internal security policy. We’ll post material changes here.

Incident response

Detection. Production systems are covered by automated error tracking and alerting that pages on-call personnel. We aim to classify security incidents by severity within one hour of detection.

Containment. Exposed credentials (OAuth tokens, API keys, database credentials) are rotated within 4 hours of confirmation of exposure. Sessions tied to the affected account are revoked at the same time.

Post-mortem. Every declared incident gets a written post-mortem with at least one durable fix.

Breach notification

If we confirm that your personal data was accessed or disclosed without authorization, we will email you at the address on your account within 72 hours of that confirmation. The notice will describe what data was affected, the date range, what happened, and steps you should take. Where state law requires a shorter timeline (for example, California’s 48-hour SSN-exposure rule), the shorter timeline takes precedence.

Backups and recovery

The database is backed up daily, with 30-minute point-in-time recovery available across a 7-day window. Our target time to restore service from backup after a catastrophic loss is 24 hours.

Compliance

We plan to pursue SOC 2 Type I certification, followed by Type II, once operationally ready. Until then, we operate against a documented internal information security policy covering the controls described on this page — access, encryption, logging, vendor management, incident response, and key rotation.

Reporting a vulnerability

If you think you’ve found a security issue, email security@postforcreators.com. We’ll respond within one business day. Please give us a reasonable window to fix the issue before public disclosure.

Contact

General security questions: security@postforcreators.com.

Post uses cookies for sign-in and light product analytics so we can make things better. No ads, no resale. See privacy.