Security

Security is not
an afterthought.

EngageWingman acts as your agent on X — that means we hold the keys to your account. We designed every layer of the platform with the assumption that threats exist, and built accordingly.

🔐

Authentication & Access

  • Passwords are hashed with bcrypt (cost factor 12) — plaintext is never stored or logged.
  • Sessions use signed JWTs (HS256) with a 7-day expiry. Tokens are invalidated server-side on logout.
  • X/Twitter connections use OAuth 2.0 PKCE — the industry-standard flow for user-delegated access. No static API keys tied to your account.
  • Every API endpoint requires a valid bearer token. No unauthenticated routes expose user data.
🔒

Your X/Twitter Credentials

  • Access tokens and refresh tokens are encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256) before being written to the database.
  • The encryption key lives only in the server environment — never in the codebase or version control.
  • Tokens are decrypted in memory only at the moment they are needed for an API call, then discarded.
  • If you disconnect your X account, all stored tokens are deleted immediately.
📡

Data in Transit

  • All traffic between your browser and engagewingman.io is encrypted via TLS 1.2+, enforced by Vercel's edge network.
  • Backend API calls from the frontend to Railway are served over HTTPS — no unencrypted connections.
  • Connections to Supabase (PostgreSQL) and Upstash (Redis) are TLS-only. Plaintext database connections are refused.
  • Outbound calls to xAI (Grok), X API, and Stripe are made over HTTPS with certificate validation.
🗄️

Data at Rest

  • Production database hosted on Supabase (PostgreSQL 17), which encrypts data at rest by default.
  • Redis (Upstash) is TLS-encrypted in transit and at rest.
  • OAuth tokens are double-protected: database encryption at the storage layer plus application-level Fernet encryption.
  • No sensitive data is written to application logs. Token values, passwords, and keys are never logged.
🤖

AI & Content Safety

  • All user-provided content (brand descriptions, tweet text, author names) is sanitized to remove prompt injection attempts before being sent to the AI.
  • The sanitizer strips known jailbreak patterns, role-play overrides, and instruction injections.
  • AI-generated content is reviewed by guardrails before posting — rate limits, daily quotas, and reply caps prevent runaway behavior.
  • xAI (Grok) processes content under their API terms. Your data is not used to train public models.
🛡️

Application Security

  • CORS is locked to engagewingman.io — no cross-origin requests from unknown domains are accepted.
  • Rate limiting is applied at the API level — burst protection and daily quotas prevent abuse.
  • All request parameters are validated with Pydantic schemas before touching the database. SQL injection is structurally prevented by SQLAlchemy's parameterized queries.
  • Dependencies are pinned in pyproject.toml and package-lock.json. No floating version ranges in production.
💳

Payments

  • All payment processing is handled by Stripe (PCI DSS Level 1 certified).
  • EngageWingman never sees, stores, or logs your card number, CVV, or full billing details.
  • Stripe webhooks are verified using HMAC-SHA256 signature validation — forged webhook events are rejected.
🏗️

Infrastructure

  • Frontend served by Vercel — SOC 2 Type II certified, global CDN, DDoS protection built in.
  • Backend API hosted on Railway — isolated container environment, automatic TLS, no shared-process vulnerabilities.
  • Database and Redis are managed services (Supabase, Upstash) with automated backups and high availability.
  • Production, staging, and local development environments are fully isolated — no shared credentials or databases.
📋

Your Data

  • You own your content. EngageWingman does not claim rights to posts generated on your behalf.
  • Your brand configuration, post history, and connected account data are yours — export or delete at any time.
  • We do not sell data to third parties or use your content for advertising.
  • Account deletion removes all your data from our database within 30 days.

Responsible Disclosure

Found a vulnerability? We take security reports seriously and respond within 48 hours. Please do not publicly disclose issues before we have had a chance to address them.

security@engagewingman.io