Security at Social Anchor.

Social Anchor takes the security of client and visitor data seriously. This page describes the technical, organizational, and operational measures we use to protect payment information, account credentials, brand assets, and other sensitive data we handle on behalf of our clients.

1. Encryption

All data transmitted between your browser, our systems, and the third-party services we use is encrypted in transit using Transport Layer Security (TLS 1.2 or higher).

Sensitive data at rest is encrypted using industry-standard encryption protocols, including AES-256 where applicable. Credentials, API keys, and other sensitive secrets are stored in encrypted password management systems with strict access controls.

2. Payment processing

Social Anchor uses Stripe as our payment processor for all USD transactions. Stripe is certified to PCI Service Provider Level 1, the highest level of certification available in the payments industry.

Card information is collected by Stripe directly through their secure infrastructure and never touches Social Anchor's systems. We do not store, process, or transmit full credit card numbers, full bank account numbers, or full Social Security numbers.

We retain only the minimum payment metadata needed for accounting and reconciliation (date, amount, last four digits of card, invoice number, Stripe transaction ID).

Stripe's security overview is available at stripe.com/security.

3. Data storage

Client data, including brand assets and project files, is stored on enterprise-grade cloud infrastructure with the following protections:

• Encryption at rest
• Encrypted transmission to and from storage
• Access logs and audit trails
• Regular backup and redundancy
• Geographic redundancy where supported by the provider

We use vetted cloud storage providers, including Google Workspace and pCloud, each of which maintains its own SOC 2 and ISO 27001 certifications.

4. Access controls

Access to client data is granted on a need-to-know basis to authorized team members only:

• Role-based access control on all internal systems
• Multi-factor authentication required on all administrative and email accounts
• Background checks on team members where appropriate to the role
• Confidentiality and acceptable-use obligations in place for every team member and contractor
• Immediate revocation of access when a team member's role changes or ends

5. Credential management

When clients grant us access to their social media accounts or other systems, we manage those credentials with the following safeguards:

• Credentials are stored in an enterprise password management system with end-to-end encryption
• Credentials are accessed only by authorized team members for legitimate work
• We use platform-native delegated access (such as Meta Business Suite roles) wherever supported, rather than sharing primary account passwords
• Sensitive credentials are never transmitted by unsecured channels such as plain email or text

6. Service providers

We work with third-party service providers that may handle data on our behalf. Each is vetted for security posture, contractually obligated to maintain appropriate safeguards, and required to comply with applicable law. Our major providers include:

• Stripe, Inc.: payment processing (PCI Service Provider Level 1)
• Google LLC (Google Workspace): email, calendar, file storage (SOC 2, ISO 27001)
• pCloud AG: video file storage (TLS, AES-256)
• Slack Technologies, LLC: internal team communication (SOC 2, ISO 27001)
• Calendly LLC: scheduling (SOC 2)
• Netlify, Inc.: website hosting (SOC 2)

A full list of our service providers and their security certifications is available on request.

7. Compliance

Social Anchor maintains compliance with applicable laws and industry standards relevant to our services, including:

• PCI DSS: through our use of Stripe, which is PCI Service Provider Level 1 certified. We do not handle full card data directly.
• CCPA / CPRA: California residents' rights are described in our Privacy Policy.
• GDPR / UK GDPR: EU and UK residents' rights are described in our Privacy Policy.
• Platform terms of service: we operate within the terms of service of every platform we publish on.

We review our practices regularly and update them as standards, regulations, and threats evolve.

8. Incident response

We maintain a documented incident response plan covering:

• Detection and triage of suspected security events
• Containment and remediation procedures
• Internal escalation paths
• Notification of affected clients in accordance with applicable law and contractual obligations
• Post-incident review and process improvement

In the event of a security incident that affects your data, we will notify you without undue delay and provide the information needed to assess the impact, as required by applicable law.

9. Reporting a security issue

If you discover a vulnerability, suspect a security issue with our systems, or want to report a concern, please contact us directly. We take every report seriously.

We aim to acknowledge security reports within two business days and provide an initial assessment within five business days.