Trust & Security at SkedCast
Because SkedCast holds the keys to your connected accounts, we design every layer to protect them. Here is how we handle security, privacy, compliance, and accessibility.
Security
Tenant isolation, an encrypted token vault, and defense in depth.
Privacy
Data minimization, your control over connected accounts, and clear rights.
Compliance
Platform developer policies, GDPR/CCPA, and our certification roadmap.
Accessibility
Built to WCAG 2.2 AA — keyboard, contrast, and assistive-tech friendly.
Security
The controls below summarize how we protect your data. They reflect the architecture documented in our internal security design.
Tenant isolation (RLS)
Every tenant-scoped table is protected by PostgreSQL row-level security keyed to your agency, enforced by a least-privilege database role that cannot bypass it — so data never crosses between tenants.
Encrypted token vault
We store OAuth access and refresh tokens — never your platform passwords. Tokens are sealed with AES-256-GCM under a KMS-managed key, decrypted only on the backend, and never logged or sent to the browser.
Encryption in transit & at rest
All connections use TLS 1.2+ (preferring 1.3) with HSTS, and data at rest — including the database and media storage — is encrypted.
Least-privilege access
Access follows least privilege with role-based controls and a separate, MFA-protected operator surface. Sensitive operator actions are gated and double-logged.
Audit logging
Security-relevant events — authentication, account connection, token refresh, role changes, and data export or deletion — are recorded in an append-only audit log keyed by tenant and correlation ID.
Hardened by design
OAuth follows RFC 9700 (PKCE, short-lived tokens, refresh rotation); inputs are validated and queries parameterized; uploads are scanned and stripped of metadata; and SSRF, IDOR, and CSRF defenses are built in.
How we handle your connected accounts
When you connect a social account, we complete the platform’s official OAuth flow and store the resulting access and refresh tokens — we never store or ask for your platform passwords. Tokens are encrypted with AES-256-GCM in a vault whose keys are managed by a cloud KMS, are decrypted only by our backend services, and are rotated and refreshed automatically. Disconnecting an account revokes and erases its stored tokens.
Privacy
We collect only what the product needs, use it only to provide the features you ask for, and put you in control.
SkedCast is the data processor for the content and connected-account data you bring; you remain in control of it. We do not sell personal data, we do not use your platform data for advertising or surveillance, and we retain it only as long as the feature needs it. You can disconnect any account at any time to revoke and erase its stored tokens, and request deletion of your account and all associated data.
- OAuth tokens only — never your platform passwords
- No selling of personal data; no ad targeting or surveillance use
- Data minimization — we keep only what the feature requires
- Self-service disconnect and a clear data-deletion path
For the full detail, see our Privacy Policy, Data Deletion page, and Sub-processors list.
Compliance
We build to certification-grade standards and comply with each connected platform’s developer policy.
SkedCast complies with the developer policy of every platform you connect — including the Google API Services Limited Use requirements for YouTube data — and supports GDPR and CCPA/CPRA rights for the data we process. Business and EU customers can request our Data Processing Addendum.
The following certifications are on our roadmap and are not yet in place:
In the meantime, our practices align with the OWASP Top 10 and ASVS Level 2, RFC 9700 for OAuth, and NIST SP 800-38D for encryption. See our Platform API Data Use & Compliance page and Data Processing Addendum.
Accessibility
SkedCast is built to be usable by everyone, targeting WCAG 2.2 AA across the product and this site.
Accessibility is a design requirement, not an afterthought. We build against WCAG 2.2 Level AA: full keyboard operability, visible focus indicators, semantic HTML and ARIA landmarks, sufficient color contrast, and status that is never conveyed by color alone. We support both light and dark themes and respect reduced-motion preferences.
- Keyboard-operable throughout, with a skip-to-content link and visible focus
- Semantic structure and ARIA landmarks for assistive technologies
- AA color contrast and status never signaled by color alone
- Light and dark themes, with reduced-motion support
Found an accessibility barrier? Email privacy@skedcast.com and we will work to fix it.
Responsible disclosure
If you believe you have found a security vulnerability, please report it to security@skedcast.com. We appreciate responsible disclosure: give us reasonable time to investigate and remediate before any public disclosure, and please do not access or modify data that is not yours while testing.
Security you can build a business on
Start a 14-day free trial and see how SkedCast protects every connected account.