Security

At Rawwij, security is not an afterthought — it is foundational to everything we build. As a social media management platform, we understand that you trust us with access to your social media accounts and sensitive business data. We take that responsibility seriously.

This page describes the security measures, practices, and infrastructure we employ to protect your data, your connected social media accounts, and your privacy.

We follow industry best practices and continuously improve our security posture. If you have any security-related questions, please contact us at privacy@rawwij.com.

All data is encrypted both in transit and at rest to ensure maximum protection.

Encryption in Transit: • All connections to Rawwij use TLS 1.2 or higher (TLS 1.3 preferred) • HTTPS is enforced across all endpoints — HTTP requests are automatically redirected • API communications with social media platforms (Meta, X, TikTok, etc.) use encrypted channels • Webhook payloads are validated using platform-specific signature verification

Encryption at Rest: • All database data is encrypted at rest using AES-256 encryption • OAuth tokens and refresh tokens are encrypted before storage using application-level encryption • File uploads and media assets are stored in encrypted storage buckets • Database backups are encrypted using the same AES-256 standard • Encryption keys are managed through a secure key management system and rotated regularly

We implement multiple layers of authentication and strict access control to protect your account.

User Authentication: • Passwords are hashed using bcrypt with unique salts — we never store plaintext passwords • Two-Factor Authentication (2FA) is supported via TOTP-based authenticator apps (Google Authenticator, Authy, etc.) • Session tokens are signed, time-limited, and automatically expire after periods of inactivity • Brute-force protection: accounts are temporarily locked after repeated failed login attempts • Secure password reset flows with time-limited, single-use tokens

Access Control: • Role-Based Access Control (RBAC) is enforced across all team features — Owner, Admin, Editor, Viewer roles • Row-Level Security (RLS) policies are enforced at the database level, ensuring users can only access their own data • API keys and tokens follow the principle of least privilege • Team invitations require email verification and explicit acceptance

Since Rawwij connects to your social media accounts, we take extra precautions to secure these integrations.

OAuth 2.0 Protocol: • All social media connections use the industry-standard OAuth 2.0 authorization framework • We NEVER have access to your social media passwords — authentication is handled entirely by each platform • We request only the minimum permissions (scopes) required for the features you use • You can revoke Rawwij's access at any time from your social media platform settings or from within Rawwij

Token Security: • OAuth access tokens and refresh tokens are encrypted at the application level before being stored in the database • Tokens are refreshed automatically before expiry to maintain uninterrupted service • When you disconnect a social media account, all associated tokens are immediately and permanently deleted • Token refresh operations use exponential backoff with retry limits to prevent abuse

Platform-Specific Security: • Meta (Facebook/Instagram): We comply with Meta's Platform Terms and Data Use policies. App Review is completed for all requested permissions. • X (Twitter): We follow X's Developer Agreement and OAuth 2.0 PKCE flow for enhanced security. • TikTok: We comply with TikTok's Developer Terms of Service and use their official OAuth flow. • YouTube: We use YouTube API Services and comply with Google's API Services User Data Policy. Users are bound by the YouTube Terms of Service. • LinkedIn: We follow LinkedIn's API Terms of Use and Platform Guidelines. • Snapchat: We comply with Snap's Developer Terms and use their official OAuth flow. • Threads: We comply with Meta's Platform Terms for Threads API access. • Telegram: We use the Telegram Bot API with securely stored bot tokens. Bots can only access channels and groups where they are explicitly added by the user.

Our infrastructure is designed for security, reliability, and performance — especially for users in the MENA region.

Cloud Infrastructure: • Rawwij is hosted on enterprise-grade cloud infrastructure with SOC 2 Type II and ISO 27001 certifications • Database hosting is provided by Supabase, built on Amazon Web Services (AWS) with data isolation per project • We use a Content Delivery Network (CDN) to serve static assets securely and efficiently worldwide • All infrastructure components are regularly patched and updated

Network Security: • Web Application Firewall (WAF) protects against common threats including SQL injection, XSS, and CSRF • DDoS protection is enabled at the network and application layers • Rate limiting is enforced on all API endpoints to prevent abuse • Platform-specific rate limits are respected and managed with intelligent queuing

Environment Security: • All secrets, API keys, and credentials are stored in environment variables — never in code repositories • Development, staging, and production environments are fully separated • Server access is restricted to authorized personnel only via SSH key-based authentication • All infrastructure changes are logged and auditable

We implement comprehensive data protection measures to safeguard your content and analytics data.

Data Isolation: • Each user's data is logically isolated using Row-Level Security (RLS) policies enforced at the database level • Team workspaces are isolated — team members can only access resources within their authorized scope • Connected social media account data is associated only with the authorizing user

Backups & Recovery: • Automated database backups are performed daily with point-in-time recovery capability • Backups are encrypted and stored in a geographically separate location • Backup restoration is tested regularly to ensure data integrity • Media files are stored with redundancy across multiple availability zones

Data Retention & Deletion: • When you delete your account, all personal data is permanently removed within 30 days • Social media tokens are deleted immediately upon account disconnection • Analytics data can be exported before account deletion upon request • We do not retain your data longer than necessary for the purposes described in our Privacy Policy

We maintain continuous monitoring and have established procedures for detecting and responding to security incidents.

Monitoring: • Real-time monitoring of all critical systems, APIs, and services • Automated alerting for unusual activity patterns, failed authentication attempts, and system anomalies • Application and infrastructure logs are centralized and analyzed for security events • Webhook delivery and social media API interactions are monitored for errors and anomalies

Incident Response: • We maintain a documented incident response plan with defined roles and escalation procedures • Security incidents are classified by severity and responded to within established SLA timeframes • Critical vulnerabilities are addressed within 24 hours of discovery • Affected users are notified promptly in accordance with applicable data protection laws • Post-incident reviews are conducted to prevent recurrence

Rawwij is committed to meeting industry security standards and regulatory requirements relevant to our users.

Standards & Frameworks: • Our security practices are aligned with OWASP Top 10 guidelines for web application security • We follow the principle of least privilege across all systems and access controls • Regular security assessments and code reviews are conducted as part of our development process

Data Protection Regulations: • We comply with applicable data protection regulations in the markets we serve • For users in Kuwait and the GCC region, we adhere to local data protection requirements • Data processing agreements are available for enterprise customers upon request

Platform Compliance: • We maintain compliance with all connected social media platforms' developer policies and terms • Regular reviews ensure our permission scopes and data handling practices remain compliant • We participate in platform-specific security reviews as required (e.g., Meta App Review)

We value the security research community and welcome responsible disclosure of vulnerabilities.

If you discover a security vulnerability in Rawwij, please report it to us responsibly:

How to Report: • Email: privacy@rawwij.com • Include a detailed description of the vulnerability, steps to reproduce, and potential impact • Please allow us reasonable time to investigate and address the issue before public disclosure

Our Commitment: • We will acknowledge your report within 48 hours • We will provide regular updates on the status of the investigation • We will not take legal action against researchers who report vulnerabilities in good faith • We credit researchers (with permission) in our security acknowledgments

Out of Scope: • Social engineering attacks against Rawwij employees or users • Denial of service attacks • Issues in third-party services or platforms • Vulnerabilities already known to us or previously reported

If you have any questions, concerns, or reports related to security, please reach out to us:

• Security Team: privacy@rawwij.com • General Support: support@rawwij.com • Data Protection Inquiries: privacy@rawwij.com

For urgent security issues, please include "URGENT" in your email subject line.

We are committed to transparency and will keep this page updated as our security practices evolve.