Security at Subportly

Compliance & certifications

SOC 2 Type IIGDPRCCPAISO 27001 (in progress)HIPAA (on request)

Our most recent SOC 2 report is available under NDA — request it at security@subportly.com.

How we protect your data

Encryption at rest

All data is encrypted with AES-256. OAuth tokens are stored in a separate encrypted vault with rotating keys.

Encryption in transit

TLS 1.3 everywhere. Strict HSTS. We do not accept connections over older protocols.

Region pinning

Pick US or EU at signup. Your data — including backups — never leaves that region.

Least-privilege access

Engineers access production only through audited, time-bounded sessions. All access is logged.

Backups

Daily encrypted backups, 30-day retention. Quarterly restore drills.

Vulnerability management

Continuous dependency scanning, monthly external penetration tests, public bug bounty.

Reddit OAuth tokens

This is the question Enterprise buyers ask first, so here’s the full answer.

When you connect a Reddit account, Reddit issues us an OAuth refresh token. We:

Store the token in an isolated, encrypted secrets store (AWS KMS-backed)
Never log the token, never include it in error reports, never share it across workspaces
Use it only for the API endpoints needed to fetch your messages and let you reply
Revoke it immediately when you disconnect the account, and verify revocation server-side

We do not hold the underlying Reddit password. We can’t impersonate you outside the OAuth scopes you granted. If Reddit invalidates a token, the account simply disconnects — we have no way to re-authenticate without you.

Authentication

Email + password with optional TOTP. SAML SSO (Okta, Azure AD, Google Workspace, generic SAML 2.0) on Enterprise. Session tokens rotate every 24 hours. Failed-login throttling with exponential backoff.

Audit logs

Every meaningful action — connecting an account, sending a reply, inviting a teammate, exporting data — is recorded in an audit log retained per your retention policy. Enterprise customers can stream the log to their SIEM in real time (Splunk, Datadog, custom webhook).

Incident response

If we detect or suspect a breach affecting customer data, we’ll notify affected customers within 72 hours with what we know, what we’re doing, and what we recommend. We run quarterly tabletop exercises. Our incident playbook is reviewed annually with outside counsel.

Responsible disclosure

Found something? Email security@subportly.com. We respond within 24 hours, fix critical issues within 7 days, and publish post-mortems for incidents that affect customer data. We pay bounties up to $10,000 for high-severity findings.

The honest disclaimer

We’re an early-stage company. Some of what’s described above is in active rollout — SOC 2 Type II audit completes Q3 2026, ISO 27001 work is ongoing, and the bug bounty program is invite-only until then. We’d rather be honest about the timeline than ship a security page full of badges we haven’t earned.

For procurement reviews, vendor questionnaires, or anything else: security@subportly.com.