Skip to content
Security

Your data, treated like ours

End-to-end encryption, strict multi-tenancy, granular RBAC, and full auditing. LFPDPPP, GDPR, and CCPA compliant.

All systems secured

AES-256 · TLS 1.3 · RLS

Encryption at rest

AES-256

Multi-tenant RLS

Row-Level Security

Compliance

GDPR

EU

LFPDPPP

MX

CCPA

US-CA

SOC 2

in progress

01 · encryption

Encryption at rest and in transit

Every piece of data Blacknel touches travels and sleeps encrypted. No plaintext, no exceptions.

Data at rest · AES-256

All information stored in Blacknel is encrypted with AES-256 at the Postgres column level. Our database provider (Supabase) adds disk-level encryption as defense-in-depth.

Data in transit · TLS 1.3

All communication between your browser, our servers, and third-party APIs (Facebook, Google, etc.) goes over TLS 1.3 with certificate pinning where the provider supports it. Plain HTTP exists nowhere in the stack.

Secrets and credentials

OAuth credentials (Facebook, Google, etc.) live encrypted in Supabase Vault, with keys that rotate every 90 days. API keys you generate in your workspace are shown once and never stored in plaintext.

Passwords

We don't handle them. We use Supabase Auth with magic links (passwordless) by default. For Enterprise customers with SSO/SAML, the password never reaches Blacknel — your IdP authenticates.

02 · multitenancy

Strict multi-tenancy

Each organization is an isolated tenant at the database level. Not a filter applied in code.

Row-Level Security in Postgres

Each organization in Blacknel is an isolated tenant via Postgres Row-Level Security (RLS). It's a database-level constraint that prevents any cross-tenant query, even if there's a bug in the app.

What it means in practice

If a bug in our code tried to execute SELECT * FROM posts without an org filter, Postgres would return 0 rows — because RLS policies verify current_setting('app.current_org_id') before returning any row. Without a valid org_id in the session, there's no data.

Asset isolation

Each org has its own storage bucket for assets (videos, images, PDFs). Buckets are private by default and accessed via signed URLs that expire in 1 hour. There's no way to list or access another org's assets.

Audit trail

Every action touching sensitive data (login, post publish, review response, RBAC change) lands in audit_events with timestamp, user_id, org_id, IP, user-agent, and the diff of what changed. Append-only — history cannot be rewritten.

03 · rbac

Granular RBAC

Five default roles, custom roles on Enterprise, and three layers of permission checks.

Default roles

Owner (full control + billing), Admin (everything except billing/deletion), Manager (brands and workflows), Agent (day-to-day operations), Viewer (read-only).

Custom roles on Enterprise

Create custom roles with granular permission matrix: per brand, per action (read/write/delete/publish), per channel. Permissions assigned via grants and revokes — the system follows 'revoke wins' on conflict.

Permission catalog

50+ permission strings available. Examples: posts:publish, inbox:assign, billing:read, audit:read, team:manage_roles.

Defense-in-depth

Every permission check happens in THREE layers: TypeScript in the Server Action, SQL function executing the query, and Row-Level Security at the database. All three would have to fail simultaneously for a permission leak to happen.

04 · audit

Immutable audit log

Every action that affects data or configuration is recorded immutably and is exportable.

What gets logged

Logins, logouts, published posts, review replies, role changes, data exports, org settings, pricing/seat changes.

Per-event payload

Exact timestamp (UTC + local), user_id, org_id, session_id, source IP, user-agent, country (GeoIP), exact action + diff (before/after), result (success/failure/partial).

Retention

Standard: 90 days. Growth: 1 year. Enterprise: up to 7 years, configurable.

Immutability and export

The audit_events table is append-only at the Postgres level. No DELETE is allowed — not even with admin privileges. The audit log is exportable as JSON or CSV at any time, useful for SOC 2, ISO 27001, and internal audits.

05 · compliance

Compliance

LFPDPPP, GDPR, CCPA, and SOC 2 Type II audit in progress.

LFPDPPP (Mexico)

We comply with the principles of legality, consent, information, quality, finality, loyalty, proportionality, and accountability. Privacy notice aligned with INAI. ARCO rights are handled via privacy@blacknel.com within 20 business days.

GDPR (European Union)

We operate under Article 6.1.b (contract execution) and 6.1.a (consent) for marketing opt-in. Designated DPO. Your right to portability (Art. 20) is fulfilled with a full standard-JSON export. SCCs are signed by default for international data transfer.

CCPA (California)

We honor 'Do Not Sell' requests (even though we don't sell data), 'Right to Know' and 'Right to Delete'. Max response time: 45 days.

SOC 2 Type II · in progress

Active audit with target close in Q3 2026. Covers Security, Availability, Processing Integrity, Confidentiality, and Privacy. Once certified, the report will be available to Enterprise customers under NDA.

HIPAA

We don't operate as a Business Associate for healthcare providers by default. If you need specific HIPAA compliance, contact us to discuss a dedicated BAA on Enterprise.

06 · bounty

Bug bounty

Active private program. If you find a vulnerability, email security@blacknel.com.

What we reward

Critical (RCE, auth bypass, tenant data leak): $1,000 – $5,000 USD. High (privilege escalation, sensitive data exposure): $500 – $1,500 USD. Medium (XSS, CSRF, minor IDOR): $100 – $500 USD. Low (info disclosure, config): $50 – $200 USD.

Rules

Find the vuln with your own account, don't compromise others'. No DoS, brute force, or aggressive scanning. Report privately and give us 90 days before going public. No social engineering of the team.

Hall of fame

We maintain a public Hall of Fame of researchers who reported valid issues. We'll publish it once the first confirmed report lands — full transparency, pre-revenue, no invented history.

Architecture

Architecture at a glance

Modern, fluid, observable stack. Each layer has a clear responsibility and its own security guardrails.

01

Client

Your team accesses via browser or mobile. Everything is HTTPS + TLS 1.3 with HSTS preload.

02

CDN · Cloudflare

L3/L4/L7 DDoS protection. Static asset caching. Managed WAF rulesets active.

03

Vercel Edge · Next.js Server Components

Global edge rendering. Server Components execute in Vercel Functions with <100ms cold start thanks to Fluid Compute.

04

Server Actions & API Routes

Every mutation passes through a triple permission check (TS + SQL + RLS). Auth via Supabase Magic Links. Per-tenant rate limiting.

05

Supabase Postgres · multi-tenant RLS

AES-256 encryption at rest, daily backups with PITR (point-in-time recovery), geo-distributed replication.

06

Sub-processors

Anthropic (Claude) · OpenAI (GPT) · Resend (email) · Stripe (payments) · Plausible (analytics) · Sentry (errors). Each one has a signed DPA + SCC.

Incidents

How we respond to incidents

Detection

Sentry alerts on production errors in <1 minute. PostHog tracks usage anomalies. Uptime monitoring 24/7 every 30 seconds. Custom alerts on critical metrics (auth failure rate, DB errors).

Triage

Severity 1 (user-affecting): page on-call <5 min. Severity 2 (partial degradation): response <15 min. Severity 3 (not user-affecting): next business day.

Communication

status.blacknel.com updates in real time. Email to admins of affected orgs within 30 minutes. Public post-mortem on the blog within 7 days for SEV 1.

Learning

Every SEV 1 ends with a documented post-mortem: timeline, root cause, what worked, what didn't, and action items. We publish them because we believe in transparency.

Your first week without Hootsuite. Without Sprout. Without the 5 spreadsheets.

Connect your channels in 10 minutes, invite your team, and start operating. No contracts, no mandatory sales calls.

14-day trial. No credit card. Cancel anytime.