Trust & Security
We take the security of your data, credentials, and content seriously. Here is a plain-language overview of how we protect you.
Ghostpen runs on Supabase (SOC 2 Type II certified) for data storage and auth, and Vercel's global edge network for the application layer. Neither provider sells your data or uses it for advertising.
All connections are encrypted with TLS 1.2 or higher — in transit, always. Data stored in Supabase is encrypted at rest using AES-256. There is no path to your data that bypasses encryption.
Platform OAuth tokens (Twitter/X, LinkedIn, etc.) you connect are stored encrypted in Supabase. Row Level Security (RLS) policies ensure you can only ever access your own tokens — not other users'. The Supabase service-role key is restricted to server-side code only and is never exposed to the browser.
User accounts use Supabase Auth. Passwords are hashed with bcrypt and never stored in plaintext. Platform connections use OAuth 2.0 with PKCE for supported providers, minimising token interception risk.
We apply the principle of least privilege throughout. RLS policies are enabled on every table. Internal team access to production data requires MFA and is logged. We do not share or sell access to your data with third parties.
Your drafts, posts, and brand voice data are processed solely to deliver the product to you. We do not use your content to train AI models, and we do not share it with AI providers beyond the minimum necessary to process your requests. Our AI providers operate under Data Processing Agreements (DPAs).
Ghostpen is a paid subscription product. Our business model is selling software, not data. We have never sold user data and have no plans to change that.
Found a vulnerability? We appreciate responsible disclosure. Please contact [email protected] with details. We aim to acknowledge reports within 48 hours and resolve confirmed issues within 30 days. We ask you to give us the opportunity to fix the issue before public disclosure.
Security researchers and users alike: if you discover a potential security issue, please email us privately before going public. We take all reports seriously and will work with you to resolve them quickly.
[email protected]This page was last updated January 2026. Questions? [email protected]