Security
How we protect your data.
Infrastructure
Selda runs on EU-based infrastructure using SOC 2 compliant providers. Our primary backend (Convex) and database are hosted in the EU. All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
Authentication
User authentication is handled by Clerk, an enterprise-grade identity provider. We support email/password, Google SSO, and other OAuth providers. Passwords are never stored by Selda directly. Session tokens are short-lived and rotated automatically.
OAuth and social connections
When you connect social accounts (LinkedIn, Reddit, Discord), the OAuth flow is handled by our provider partner. We never see or store your social media passwords. Connection tokens are stored encrypted. OAuth state tokens used during the connect flow are single-use, expire after 15 minutes, and are validated server-side.
Data access
Access to production data is restricted to essential personnel only. All access is logged and auditable. We follow the principle of least privilege for all internal systems.
Email security
All outbound email sent through Selda implements SPF, DKIM, and DMARC authentication. Custom sending domains go through DNS verification and warmup before use. We monitor deliverability and automatically detect potential abuse patterns.
API security
All API endpoints require authentication. Sensitive operations (social account connections, campaign launches, data deletion) require verified user identity. We use server-side state validation for all OAuth flows to prevent CSRF and token replay attacks.
AI and data processing
AI-powered features (business analysis, market research, message generation) use Claude (Anthropic) and web search. Data sent to AI providers is processed according to their enterprise data policies and is not used to train models. We minimize the data sent to AI services to what is necessary for each operation.
Vulnerability reporting
Found a vulnerability? Email security@selda.ai. We take all reports seriously and respond within 48 hours. We appreciate responsible disclosure and will not take legal action against good-faith security researchers.