Does SocialScalr ever see my LinkedIn password?

No. SocialScalr runs as a Chrome extension inside your own browser session. Your LinkedIn login stays in your browser cookies, never leaves your device, and is never transmitted to SocialScalr servers. We do not have your LinkedIn credentials and could not log into your account if we wanted to.

Is SocialScalr GDPR compliant?

Yes. Customer data lives in Supabase Postgres on AWS US-East with a signed DPA available on request. We honor all GDPR rights: access, rectification, erasure, portability, restriction, and objection. Email privacy@socialscalr.com to request a data export or full account deletion - both completed within 30 days.

Where is my data stored?

Customer application data lives in Supabase Postgres on AWS US-East-2. Static assets and the dashboard ship from Cloudflare Pages globally. Recurring billing data is held by Square; we never store raw card numbers. All transit is TLS 1.2+. At-rest data is encrypted by AWS KMS (AES-256).

Does SocialScalr have a bug bounty program?

Yes. Email security@socialscalr.com with details and a proof-of-concept. We pay $50 for low-severity issues, $250 for medium, $1,000 for high, and $5,000 for critical (account takeover, data exfiltration, privilege escalation). First reporter for each unique issue wins.

Home › Security

SocialScalr security and trust

Outbound LinkedIn activity is sensitive. The wrong tool can leak your LinkedIn cookie, your lead list, or your customer pipeline. Here is how SocialScalr is built so it doesn't.

By Mark Gabrielli · Last reviewed May 24, 2026 · Contact: [email protected]

Transit

TLS 1.2+

All traffic between the browser, dashboard, API, and database is encrypted in transit.

At rest

AES-256 (AWS KMS)

Postgres storage volumes and S3 buckets are encrypted at rest with AWS-managed keys.

Auth

Supabase + TOTP 2FA

Industry-standard JWT auth; optional time-based one-time-password 2FA per user.

Authz

Postgres RLS

Row-level security policies in Postgres ensure users can only read their own rows.

Backups

Daily + PITR

Daily snapshots plus point-in-time recovery up to 7 days for paid plans.

Card data

Never stored

Square holds tokenized card data; SocialScalr never sees raw PANs.

LinkedIn creds

Never seen

Chrome extension runs inside your browser session; your LinkedIn cookie never leaves your device.

Bug bounty

$50 - $5,000

Tiered payouts for responsibly disclosed vulnerabilities.

Architecture in one paragraph

The dashboard is static HTML/JS served from Cloudflare Pages. API requests hit Cloudflare Pages Functions, which authenticate the Supabase JWT and call Postgres directly. Postgres enforces row-level-security policies that scope every row to its owning user or team. The Chrome extension runs inside the user's own LinkedIn browser session: it requests jobs from our API (authenticated with a user-specific API token), then performs the LinkedIn click/scroll/type inside the user's tab using DOM events. Your LinkedIn session cookie is never transmitted to SocialScalr.

What we store, what we don't

Data type	Stored?	Where
Account email, hashed password	Yes	Supabase Auth (bcrypt-hashed, salted)
LinkedIn URLs of your leads	Yes	Supabase Postgres (RLS-scoped)
Connection note text and message text you sent	Yes	Supabase Postgres
Your LinkedIn password	No	Never collected
Your LinkedIn session cookie	No	Stays in your browser only
Raw card numbers (PANs)	No	Tokenized by Square
Card last-4 + brand + expiry	Yes	Supabase Postgres (for receipts)
IP address of dashboard logins	14 days	Supabase Auth logs (for fraud detection)
Server logs of API calls	30 days	Cloudflare Workers logs
Database backups	30 days	AWS S3, encrypted

Row-level security (the most important table in this doc)

Every table holding customer data has a Postgres RLS policy. The shape is:

CREATE POLICY "owner_only_select" ON leads
  FOR SELECT
  USING (owner_id = auth.uid());

CREATE POLICY "owner_only_modify" ON leads
  FOR ALL
  USING  (owner_id = auth.uid())
  WITH CHECK (owner_id = auth.uid());

This means a SQL injection or a bug in our API code cannot leak data across customer accounts. Postgres itself refuses to return rows that don't match the requesting JWT's sub claim. Team-shared tables use a parallel team_member() security definer function.

Backups and disaster recovery

Daily logical backups of the entire Postgres database to an encrypted S3 bucket in a different AWS region (US-West).
Point-in-time recovery (PITR) up to 7 days for paid plans, via Supabase's continuous WAL streaming.
Restore time objective (RTO): under 60 minutes for full database restore.
Recovery point objective (RPO): under 5 minutes for paid plans, under 24 hours for free.
Soft-delete: rows you "delete" in the UI are flagged deleted_at and recoverable for 30 days, then permanently purged.

The Chrome extension - what it can and can't do

The extension manifest requests only the permissions it needs:

activeTab + scripting on linkedin.com and salesnavigator.com. Required to read the DOM and dispatch clicks.
storage. Used to cache the API token locally so we don't re-fetch it every page navigation.
cookies. NOT requested. We never read your LinkedIn cookie.
history / tabs / downloads. NOT requested.

Source code of the extension is reviewed by the Chrome Web Store team on every submission and the manifest is public at chrome://extensions for any user to audit.

Account security features

TOTP 2FA available on all plans. Use any standard authenticator (Google Authenticator, Authy, 1Password, Bitwarden).
Audit log: every privileged action (login, password change, API token rotation, payment update, team-member add/remove) is logged for the account owner to review under Settings → Audit log.
API token rotation: self-serve in the dashboard. Old tokens revoke immediately.
Session timeout: dashboard sessions expire after 30 days of inactivity. Hard logout endpoint available.
Team roles: Owner, Admin, Member. Members cannot see billing or remove other users.

GDPR and data rights

SocialScalr is operated by WETYR Corp, a US-registered entity. We are the data controller for account data and the data processor for outreach contact data you upload.

Access: request a full JSON export of your data at any time via Settings → Export, or email [email protected]. Delivered within 30 days; usually within 24 hours.
Rectification: edit any field in the dashboard yourself, or email us.
Erasure (right to be forgotten): cancel + delete your account from Settings → Danger zone, or email [email protected]. We hard-delete within 30 days (the 30-day soft-delete window is a safety net; you can also request immediate purge).
Portability: data export is JSON + CSV, importable into HubSpot, Salesforce, Notion, Airtable, etc.
Restriction / objection: pause processing or restrict specific data types by email.
DPA (Data Processing Agreement): available on request to [email protected]. Pre-signed PDF based on the EU SCCs.

Sub-processors

SocialScalr uses these sub-processors to run the service. Full list, kept current:

Sub-processor	Purpose	Region
Supabase	Postgres database + Auth	AWS US-East-2
Cloudflare	Pages hosting + DDoS + WAF	Global edge
Square	Card processing + recurring billing	US
Resend	Transactional email (receipts, invites)	US
AWS	Backup storage (S3)	US-West-2

Each is bound by a Data Processing Agreement. We notify customers at least 30 days before adding a new sub-processor.

Bug bounty

Responsible disclosure to [email protected]. Encrypt sensitive details with the PGP key at /security/pgp.asc if you prefer.

Severity	Examples	Bounty
Critical	Account takeover without user interaction, mass data exfiltration, RCE	$5,000
High	Authenticated cross-tenant data access, privilege escalation, stored XSS in dashboard	$1,000
Medium	Reflected XSS, CSRF on non-trivial action, SSRF, broken access control on a non-critical endpoint	$250
Low	Information disclosure with no PII, missing security header, weak rate-limit	$50

Scope: socialscalr.com, *.socialscalr.com, the Chrome extension (any version on the Web Store), and the public REST API. Out of scope: third-party services (LinkedIn, Square, Supabase - report those upstream), self-XSS, DoS via volumetric attack, social engineering of staff.

Rules: first reporter for each unique issue wins. Don't access, modify, or exfiltrate data you don't own. Don't run scanners that generate >100 req/sec. Don't publicly disclose before we've fixed and you've gotten an OK.

Incident response

If we detect or are notified of a security incident affecting customer data:

Containment within 1 hour (revoke tokens, rotate keys, isolate the affected component).
Initial impact assessment within 24 hours.
Affected customers notified by email within 72 hours, with what we know and the steps we're taking.
Public post-mortem within 14 days, posted to status page + this page.

To date, we have had zero known security incidents affecting customer data.

Compliance roadmap

Honest about where we are. SOC 2 Type II is on the roadmap for Q4 2026 once the team is large enough to support the audit cadence. We're not pursuing ISO 27001 or HIPAA - LinkedIn outreach data is not PHI and our customers are not regulated entities for this workflow. If you're an enterprise buyer with specific certification requirements, talk to us early: [email protected].

← Privacy policy Help center →