Security

Creator Outreach handles customer outreach data, connected-account credentials, and payment information. This page describes the controls we have in place to keep that data safe. If you need more detail — a security questionnaire, a copy of a subprocessor's SOC 2 report, or our DPA — email dmeehanj@gmail.com.

Infrastructure

• Hosted on Vercel (SOC 2 Type II, ISO 27001) for the application layer and Supabase (SOC 2 Type II) for the database, authentication, and file storage.
• US-region primary data center (us-east) for both providers.
• Application code is deployed exclusively via Vercel, which maintains audit logs of every deploy, environment-variable change, and team-membership change.
• Background work runs on Upstash QStash, an HTTPS-only queue that POSTs verified payloads to our serverless worker routes — no long-lived job processes to compromise.

Encryption

• In transit: TLS 1.2+ everywhere. HTTPS is enforced via HSTS; we do not accept plaintext HTTP requests.
• At rest: AES-256 encryption on all Supabase Postgres volumes, file storage, and backups (Supabase default).
• Secrets: stored as Vercel environment variables, encrypted at rest, never committed to source control. Access to decrypt them is limited to authorized deploys.
• OAuth tokens for connected Gmail / Outlook / LinkedIn accounts are stored encrypted alongside the rest of your row-level data; we never see or store the underlying provider passwords.

Access controls

• Single administrative account (dmeehanj@gmail.com) with elevated permissions; all other users see only their own data.
• Two-factor authentication required on every administrative system we use (Vercel, Supabase, Stripe, Anthropic, Resend, Upstash, GitHub).
• Role-based access in Supabase via Row-Level Security (RLS) policies on every user-data table. RLS is the default deny posture; rows are only readable by the user that owns them.
• Service-role keys for server-side operations are scoped to specific routes and never shipped to the client. Client requests authenticate as the signed-in user only.
• Audit log of every administrative action (Stripe webhook events, Supabase auth events, Vercel deploys) retained for at least 90 days.

Payment security

• Payments are processed by Stripe via Stripe Elements / Checkout. We never store, transmit, or process raw card data— the card number goes directly from the user's browser to Stripe over TLS, and we receive only a token referring to the saved payment method.
• PCI DSS SAQ A self-attested annually. Because Stripe Elements isolates the cardholder fields in a Stripe-served iframe, our PCI scope is the smallest available.
• Webhook signatures from Stripe are verified on every request (see our Webhook Security policy if you have admin access).

Vulnerability disclosure

• Email security@creatoroutreach.net with anything you find. We acknowledge reports within 1 business day and will keep you updated until the issue is remediated.
• We prefer coordinated disclosure: please give us a reasonable window to fix the issue before publishing details. We do not run a paid bug bounty yet, but we will credit researchers (with permission) in our security changelog.
• Good-faith security research is welcome. Do not access or modify data that isn't yours, do not run automated scans that degrade service availability, and do not exfiltrate any customer data you happen to encounter while testing.

Data handling

• See our Privacy Policy for the full list of data we collect and how we use it.
• See our Subprocessors page for every third party that handles customer data on our behalf.
• Retention: account data is retained for the life of your account plus 90 days after deletion, then permanently removed (with a small carve-out for encrypted backup copies, which roll off within an additional 30 days).
• Data portability: you can export your outreach data as CSV / Excel at any time from inside the app.

Incident response

• Notification timeline: in the event of a confirmed personal-data breach, we notify affected users and the relevant supervisory authority within 72 hours of becoming aware, consistent with GDPR Article 33 and the breach-notification requirements of US state privacy laws.
• Illinois residents: Under the Illinois Personal Information Protection Act (815 ILCS 530), breaches affecting 500 or more Illinois residents trigger a notification to the Illinois Attorney General within 45 days of discovery. Our internal Illinois Breach Notification Procedure (PRO-003) documents the full process.
• Notification is sent by email to affected users and posted on this page (and at /security/incidents if we ever need a separate incident log).
• We retain incident response evidence (logs, timeline, remediation steps) for a minimum of 5 years for audit purposes and compliance with Illinois civil statute-of-limitations requirements.

Compliance

• SOC 2 Type I in progress — target completion within 6 months. We will publish the report (under NDA) when available.
• CAN-SPAM compliant outbound email infrastructure: every email sent through Creator Outreach carries a physical postal address and a working unsubscribe link, and contacts who unsubscribe are added to a permanent suppression list consulted before any future send.
• GDPR + UK GDPR for European data subjects, including support for data-subject access, rectification, erasure, restriction, portability, and objection requests. We use Standard Contractual Clauses for EU/UK → US data transfers.
• CCPA/CPRA and 10 other US state comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Iowa, Tennessee, Delaware, New Hampshire). See the US State Privacy Rights section of the Privacy Policy for details.
• We honor browser-based Global Privacy Control (GPC) opt-out signals where applicable.

Changes to this page

We will update this page when controls materially change. Date at the top of the page reflects the most recent revision. For meaningful changes, customers on enterprise plans are notified by email.