Skip to main content
FERVÆ
Join the Waitlist

Security at Fervae

Last Updated: March 16, 2026

How we protect your accounts and data.

Our Commitment

We take the security of your social media accounts seriously. You’re trusting us with access to your platforms, and we don’t take that lightly. Here’s exactly how we protect your data.

Encryption

  • All data transmitted between your browser and Fervae is encrypted using TLS (HTTPS).
  • Platform authentication tokens — the keys that let us post on your behalf — are encrypted at rest using AES-256-GCM.
  • Encryption keys are stored separately from the database, so tokens cannot be read from database access alone.
  • We enforce HTTP Strict Transport Security (HSTS) to prevent downgrade attacks.

Authentication & Access

  • We support Google Sign-In and email-based authentication through WorkOS AuthKit — we never see or store your password.
  • Social platform connections use OAuth 2.0 — you authorize access through each platform directly, and you can revoke access at any time.
  • Session tokens are stored in secure, HttpOnly cookies that JavaScript cannot access.
  • We never store OAuth tokens in browser-accessible session data.

Token Lifecycle

  • When you connect a platform, tokens are encrypted before storage.
  • Tokens are automatically refreshed before expiry to maintain your connection.
  • When you disconnect a platform, we revoke the token with the platform AND delete it from our database.
  • When you delete your account, all tokens for all connected platforms are revoked and deleted.
  • We never store your social media passwords — only scoped OAuth tokens that you explicitly authorize.

API & Infrastructure Security

  • All API endpoints require authentication.
  • Rate limiting protects against brute force and abuse.
  • CSRF (Cross-Site Request Forgery) protection on all state-changing requests.
  • Input validation and sanitization on every endpoint.
  • Content Security Policy (CSP) headers prevent code injection.
  • Webhook signatures are cryptographically verified before processing.

Data Isolation

  • Each workspace’s data is completely isolated — you can never access another workspace’s data.
  • Brand-level permissions ensure team members only see what they’re assigned to.
  • Media files are stored on Cloudflare’s global network with workspace-scoped access.

Data Residency & Backup

  • Application data is stored in the United States (US-East) on Neon’s managed PostgreSQL infrastructure.
  • Media files (images, videos) are stored on Cloudflare R2 with global edge delivery.
  • Database backups are maintained with point-in-time recovery, so your data can be restored in the event of an incident.
  • All infrastructure providers maintain their own SOC 2 and/or ISO 27001 certifications.

Team & Enterprise Features

  • Single Sign-On (SSO) — Fervae supports SSO through WorkOS, enabling teams to authenticate with their company’s identity provider (Google Workspace, Okta, Azure AD, and more).
  • Role-based access control — Workspace owners, admins, and members have distinct permission levels. Members can only access brands they’re assigned to.
  • Post approval workflows — Team members can draft content that requires approval before publishing, preventing unauthorized posts to connected platforms.

Employee Access

Access to production systems and user data is strictly limited. Only the founder has direct access to infrastructure and databases. We do not employ third-party contractors with access to user data. We are building formal access review policies and access logging as part of our security roadmap.

Incident Response

In the event of a security breach that affects your data, we will notify impacted users by email within 72 hours of confirming the breach, in accordance with GDPR and CCPA requirements. Our notification will include what happened, what data was affected, and what steps we’re taking to address it.

What We Don’t Do

  • We don’t sell your data — ever.
  • We don’t use advertising cookies or tracking pixels.
  • We don’t store your passwords.
  • We don’t send your tokens to third parties.
  • We don’t log sensitive data like tokens or credentials.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@fervae.com. We take all reports seriously and will respond within 48 hours. We ask that you give us reasonable time to address the issue before public disclosure.

Questions?

For security inquiries, contact us at security@fervae.com.

For general questions, reach us at hello@fervae.com.