Our commitment to security
Vloxo is designed to support business-critical app distribution workflows, and security is a core part of how we build and operate the platform. We aim to protect customer data, connected account credentials, and service availability through layered technical and organisational controls.
Encryption
Data transmitted between users, browsers, APIs, and infrastructure is encrypted in transit using TLS. Data stored within our managed systems is protected at rest using industry-standard encryption approaches, including AES-256 where supported by our infrastructure providers.
Authentication
Vloxo uses Supabase Auth for account authentication and OAuth 2.0 flows for supported social platform integrations. Authentication tokens are handled with care and are subject to role-based and application-level controls.
Access controls and row level security
We apply least-privilege principles to internal access and use logical separation controls such as row level security where appropriate to help ensure customers only access their own data. Administrative access is restricted to authorised personnel with a business need.
Social account token handling
Connected social account tokens are stored server-side only and are never intentionally exposed to the client. We use those credentials solely for authorised features such as publishing, syncing, or retrieving account data needed to provide the service.
Third party security
Vloxo relies on trusted providers including Supabase, Stripe, and Netlify for parts of its infrastructure and operations. Each provider operates its own security controls and compliance posture. We evaluate provider suitability as part of our vendor review process, but customers should understand that third-party services remain subject to their own availability and security practices.
Vulnerability disclosure
If you believe you have discovered a security issue, please report it responsibly to security@vloxo.io. Please include enough detail for us to investigate and validate the report. We ask that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to assess and address them.
Incident response
We maintain incident response procedures designed to identify, contain, assess, and remediate security incidents. Where required by law or contract, we will notify affected customers or authorities of qualifying incidents within applicable timeframes.
Regular security reviews
We periodically review our application architecture, infrastructure configuration, access controls, and operational practices to improve security over time. This includes code review, dependency maintenance, platform updates, and process improvements appropriate to a growing B2B SaaS environment.