Your data, treated like ours
End-to-end encryption, strict multi-tenancy, granular RBAC, and full auditing. LFPDPPP, GDPR, and CCPA compliant.
All systems secured
AES-256 · TLS 1.3 · RLS
Encryption at rest
AES-256
Multi-tenant RLS
Row-Level Security
Compliance
GDPR
EU
LFPDPPP
MX
CCPA
US-CA
SOC 2
in progress
01 · encryption
Encryption at rest and in transit
Every piece of data Blacknel touches travels and sleeps encrypted. No plaintext, no exceptions.
Data at rest · AES-256
All information stored in Blacknel is encrypted with AES-256 at the Postgres column level. Our database provider (Supabase) adds disk-level encryption as defense-in-depth.
Data in transit · TLS 1.3
All communication between your browser, our servers, and third-party APIs (Facebook, Google, etc.) goes over TLS 1.3 with certificate pinning where the provider supports it. Plain HTTP exists nowhere in the stack.
Secrets and credentials
OAuth credentials (Facebook, Google, etc.) live encrypted in Supabase Vault, with keys that rotate every 90 days. API keys you generate in your workspace are shown once and never stored in plaintext.
Passwords
We don't handle them. We use Supabase Auth with magic links (passwordless) by default. For Enterprise customers with SSO/SAML, the password never reaches Blacknel — your IdP authenticates.
02 · multitenancy
Strict multi-tenancy
Each organization is an isolated tenant at the database level. Not a filter applied in code.
Row-Level Security in Postgres
Each organization in Blacknel is an isolated tenant via Postgres Row-Level Security (RLS). It's a database-level constraint that prevents any cross-tenant query, even if there's a bug in the app.
What it means in practice
If a bug in our code tried to execute SELECT * FROM posts without an org filter, Postgres would return 0 rows — because RLS policies verify current_setting('app.current_org_id') before returning any row. Without a valid org_id in the session, there's no data.
Asset isolation
Each org has its own storage bucket for assets (videos, images, PDFs). Buckets are private by default and accessed via signed URLs that expire in 1 hour. There's no way to list or access another org's assets.
Audit trail
Every action touching sensitive data (login, post publish, review response, RBAC change) lands in audit_events with timestamp, user_id, org_id, IP, user-agent, and the diff of what changed. Append-only — history cannot be rewritten.
03 · rbac
Granular RBAC
Five default roles, custom roles on Enterprise, and three layers of permission checks.
Default roles
Owner (full control + billing), Admin (everything except billing/deletion), Manager (brands and workflows), Agent (day-to-day operations), Viewer (read-only).
Custom roles on Enterprise
Create custom roles with granular permission matrix: per brand, per action (read/write/delete/publish), per channel. Permissions assigned via grants and revokes — the system follows 'revoke wins' on conflict.
Permission catalog
50+ permission strings available. Examples: posts:publish, inbox:assign, billing:read, audit:read, team:manage_roles.
Defense-in-depth
Every permission check happens in THREE layers: TypeScript in the Server Action, SQL function executing the query, and Row-Level Security at the database. All three would have to fail simultaneously for a permission leak to happen.
04 · audit
Immutable audit log
Every action that affects data or configuration is recorded immutably and is exportable.
What gets logged
Logins, logouts, published posts, review replies, role changes, data exports, org settings, pricing/seat changes.
Per-event payload
Exact timestamp (UTC + local), user_id, org_id, session_id, source IP, user-agent, country (GeoIP), exact action + diff (before/after), result (success/failure/partial).
Retention
Standard: 90 days. Growth: 1 year. Enterprise: up to 7 years, configurable.
Immutability and export
The audit_events table is append-only at the Postgres level. No DELETE is allowed — not even with admin privileges. The audit log is exportable as JSON or CSV at any time, useful for SOC 2, ISO 27001, and internal audits.
05 · compliance
Compliance
LFPDPPP, GDPR, CCPA, and SOC 2 Type II audit in progress.
LFPDPPP (Mexico)
We comply with the principles of legality, consent, information, quality, finality, loyalty, proportionality, and accountability. Privacy notice aligned with INAI. ARCO rights are handled via privacy@blacknel.com within 20 business days.
GDPR (European Union)
We operate under Article 6.1.b (contract execution) and 6.1.a (consent) for marketing opt-in. Designated DPO. Your right to portability (Art. 20) is fulfilled with a full standard-JSON export. SCCs are signed by default for international data transfer.
CCPA (California)
We honor 'Do Not Sell' requests (even though we don't sell data), 'Right to Know' and 'Right to Delete'. Max response time: 45 days.
SOC 2 Type II · in progress
Active audit with target close in Q3 2026. Covers Security, Availability, Processing Integrity, Confidentiality, and Privacy. Once certified, the report will be available to Enterprise customers under NDA.
HIPAA
We don't operate as a Business Associate for healthcare providers by default. If you need specific HIPAA compliance, contact us to discuss a dedicated BAA on Enterprise.
06 · bounty
Bug bounty
Active private program. If you find a vulnerability, email security@blacknel.com.
What we reward
Critical (RCE, auth bypass, tenant data leak): $1,000 – $5,000 USD. High (privilege escalation, sensitive data exposure): $500 – $1,500 USD. Medium (XSS, CSRF, minor IDOR): $100 – $500 USD. Low (info disclosure, config): $50 – $200 USD.
Rules
Find the vuln with your own account, don't compromise others'. No DoS, brute force, or aggressive scanning. Report privately and give us 90 days before going public. No social engineering of the team.
Hall of fame
We maintain a public Hall of Fame of researchers who reported valid issues. We'll publish it once the first confirmed report lands — full transparency, pre-revenue, no invented history.
Architecture
Architecture at a glance
Modern, fluid, observable stack. Each layer has a clear responsibility and its own security guardrails.
Client
Your team accesses via browser or mobile. Everything is HTTPS + TLS 1.3 with HSTS preload.
CDN · Cloudflare
L3/L4/L7 DDoS protection. Static asset caching. Managed WAF rulesets active.
Vercel Edge · Next.js Server Components
Global edge rendering. Server Components execute in Vercel Functions with <100ms cold start thanks to Fluid Compute.
Server Actions & API Routes
Every mutation passes through a triple permission check (TS + SQL + RLS). Auth via Supabase Magic Links. Per-tenant rate limiting.
Supabase Postgres · multi-tenant RLS
AES-256 encryption at rest, daily backups with PITR (point-in-time recovery), geo-distributed replication.
Sub-processors
Anthropic (Claude) · OpenAI (GPT) · Resend (email) · Stripe (payments) · Plausible (analytics) · Sentry (errors). Each one has a signed DPA + SCC.
Incidents
How we respond to incidents
Detection
Sentry alerts on production errors in <1 minute. PostHog tracks usage anomalies. Uptime monitoring 24/7 every 30 seconds. Custom alerts on critical metrics (auth failure rate, DB errors).
Triage
Severity 1 (user-affecting): page on-call <5 min. Severity 2 (partial degradation): response <15 min. Severity 3 (not user-affecting): next business day.
Communication
status.blacknel.com updates in real time. Email to admins of affected orgs within 30 minutes. Public post-mortem on the blog within 7 days for SEV 1.
Learning
Every SEV 1 ends with a documented post-mortem: timeline, root cause, what worked, what didn't, and action items. We publish them because we believe in transparency.
Your first week without Hootsuite. Without Sprout. Without the 5 spreadsheets.
Connect your channels in 10 minutes, invite your team, and start operating. No contracts, no mandatory sales calls.
14-day trial. No credit card. Cancel anytime.