Trust
Security
Security is foundational to RePilot. Here is how we protect your data and your customers.
Encryption at rest
All sensitive data, including API tokens and credentials, encrypted with AES-256.
SOC 2 Type II
Infrastructure hosted on SOC 2 Type II certified cloud providers.
Audit logging
Every API action is logged with timestamps, IP addresses, and actor IDs.
TLS 1.3 in transit
All communications between client, server, and third-party APIs use TLS 1.3.
Application Security
All user passwords are hashed using bcrypt with adaptive work factors. Authentication tokens use short-lived JWTs with secure refresh token rotation. We implement rate limiting on all endpoints and CSRF protection on all state-changing operations. API keys are stored as hashed values; full keys are never stored in plaintext after creation.
Infrastructure
RePilot infrastructure runs on isolated virtual machines with network segmentation. Database access is restricted to application servers via private networking. We do not use shared database instances across customer tenants. Automated backups run every 6 hours with 30-day point-in-time recovery. Backup integrity is verified automatically.
Third-Party Integrations
Platform credentials (Meta, LinkedIn, Google) are stored encrypted using envelope encryption with customer-specific keys. Tokens are never logged. We request minimum necessary scopes for each integration. Webhook payloads are verified using HMAC-SHA256 signatures before processing.
Vulnerability Disclosure
We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, contact security@repilot.app with a detailed description. We commit to: - Acknowledging receipt within 24 hours - Providing a status update within 5 business days - Notifying you when the issue is resolved - Not pursuing legal action for good-faith disclosures
Incident Response
In the event of a security incident affecting customer data, we will notify affected users within 72 hours as required by GDPR. We maintain a documented incident response plan with quarterly drills.
Report a security issue
Found a vulnerability? We take all reports seriously and respond within 24 hours.
security@repilot.app