We build AI that shows its receipts — and we hold our own security to the same standard. This page describes the controls protecting your account, your brand evidence, and your connected social accounts.
Payments
Card payments are processed entirely by Stripe, a PCI-DSS Level 1 provider. We never see or store full card numbers. Stripe webhooks are verified by signature before we act on them, and processed idempotently so a replayed event cannot double-charge or corrupt subscription state.
Secrets management
Production secrets — API keys, signing keys, provider credentials — are never committed to source and never pasted into plain config. They are stored in a dedicated secrets manager and resolved at runtime via short-lived references. The application reads only the values it needs, scoped to its own machine identity.
Tenant & brand isolation
- Each workspace is isolated. Brand evidence, drafts, and receipts belong to a single workspace and are not shared across customers.
- Connected social tokens are isolated per workspace and brand — never pooled or cross-shared between customers.
- Authorization is enforced on every request, not just in the UI, to prevent cross-tenant access.
Application hardening
- HTTPS everywhere, with security headers (CSP, HSTS, X-Frame-Options).
- CSRF protection on state-changing requests; CSP violations are reported and monitored.
- Rate limiting on signup, login, checkout, and public endpoints to blunt scripted abuse.
- Passwords are stored hashed; the health endpoint and error responses are built not to leak version or environment details.
- Parameterized database access and input validation at every boundary.
AI safety controls
- A hard Compliance gate runs eight checks on every post before it can reach the publishing queue — off-brand or unverified content is held with the reason shown.
- Cost circuit breakers and per-plan caps prevent runaway generation spend.
- AI-generated media is flagged for honest disclosure under platform synthetic-media policies.
Monitoring & recovery
Application and agent activity is logged for security and reliability. Data is hosted on managed infrastructure with automated backups; we test restores so a recovery path actually works rather than only existing on paper.
Reporting a vulnerability
If you believe you've found a security issue, please email
eiaawsolutions@gmail.com
with steps to reproduce. We investigate every credible report and ask that you give us reasonable time to remediate before any public disclosure. Please do not run automated scans that degrade service for other customers.
This page describes our current posture and is not a certification. See also our
Privacy Policy and Terms of Service.