<- Back to Slokoto

Security

Last Updated: April 6, 2026

AES-256-GCM encryption
Two-factor authentication
Row-level security
Audit logging
SOC 2 certified providers
Responsible disclosure

1. How to Read This Page

This page describes the security controls Slokoto has in place today. It is meant to help customers evaluate the product and understand shared responsibilities. It does not create a service level agreement, security warranty, or separate contractual commitment.

Our legal terms are governed by the Terms of Service and Privacy Policy.

2. Infrastructure

Slokoto runs on Vercel (application hosting) and Supabase (managed PostgreSQL database and authentication). Both providers maintain SOC 2 Type II certification and encrypt data at rest and in transit. Billing is processed by Paddle, a PCI DSS Level 1 certified merchant of record.

  • Application data is stored in a dedicated PostgreSQL instance on Supabase (AWS us-east-1).
  • All connections use TLS 1.2 or higher. HSTS is enforced with a two-year preload policy.
  • Database backups use Point-in-Time Recovery with continuous write-ahead log archival.
  • Slokoto does not store payment card data. All payment processing is handled by Paddle.

3. Encryption

  • At rest: All integration credentials (Gmail, Shopify, CTM) are encrypted with AES-256-GCM before storage. The database itself uses AWS-managed encryption at rest.
  • In transit: All traffic between your browser and Slokoto, and between Slokoto and third-party services, is encrypted with TLS.
  • API secrets: API client secrets are hashed with SHA-256 before storage and verified using constant-time comparison to prevent timing attacks.
  • Key rotation: Encryption keys can be rotated without service interruption.

4. Authentication and Access Control

  • Two-factor authentication: TOTP-based MFA is available for all accounts via standard authenticator apps.
  • Password policy: Passwords must be at least 12 characters with mixed case, digits, and special characters.
  • Session management: Sessions expire after 30 minutes of inactivity. Password changes automatically sign out all other sessions.
  • Email verification: Email addresses must be verified before accessing workspace data.
  • Role-based access: Workspaces support admin, manager, and rep roles with scoped permissions for team management, integrations, billing, and AI settings.
  • Row-level security: Database access is enforced at the row level, ensuring workspace data is isolated even at the query layer.

5. Input Validation and API Security

  • All API endpoints validate request bodies against typed schemas before processing.
  • Public and webhook endpoints are rate-limited to prevent abuse.
  • Webhook payloads are verified using HMAC-SHA256 signatures with timing-safe comparison.
  • Server-side URL fetches are validated against SSRF protections, blocking private networks and cloud metadata endpoints.
  • Error responses return generic messages and never expose internal details, stack traces, or database errors.

6. Audit Logging

Slokoto maintains audit logs for privileged actions including team member changes, integration connections, API key lifecycle, and settings modifications. Audit entries record who performed the action, what changed, and when. Administrative audit logs use a tamper-evident hash chain to ensure integrity.

7. Data Retention

Activity logs are retained for 365 days. Administrative audit logs are retained for 730 days. Automated retention policies enforce these limits. Customers can request data export or deletion in accordance with our Privacy Policy.

8. Monitoring and Incident Response

We operate automated anomaly detection that monitors for usage spikes, elevated error rates, and cost anomalies. Alerts are delivered in real time. We maintain a documented incident response process with severity-based response times and post-incident review procedures.

9. Secure Development

  • All code changes go through CI that includes linting, type checking, automated tests, and security scanning.
  • Static analysis (CodeQL) and secret detection (gitleaks) run on every push and pull request.
  • Dependencies are automatically monitored for known vulnerabilities via Dependabot.
  • Security-sensitive code paths require designated reviewer approval before merging.

10. OAuth and Integrations

When you connect third-party services like Gmail or Shopify, Slokoto uses OAuth 2.0 with PKCE for secure authorization. We request only the minimum scopes necessary for each integration. OAuth tokens are encrypted at rest and revoked at the provider when you disconnect an integration or delete your account.

11. Customer Responsibilities

  • Use strong passwords and enable two-factor authentication.
  • Review user access regularly and remove access that is no longer needed.
  • Review the integrations you enable and the data you allow them to exchange.
  • Do not upload data that you are not authorized to process through Slokoto.

12. Responsible Disclosure

If you believe you have identified a security issue, email us at security@slokoto.com with a clear description and reproduction steps. We acknowledge reports within 48 hours and aim to resolve confirmed issues within 5 business days. Please avoid public disclosure until we have had a reasonable opportunity to investigate and respond.

13. Contact

Slokoto Security Team

Security Reports: security@slokoto.com

General Support: support@slokoto.com

Related Resources

Read the legal documents that govern data handling and billing.

Privacy PolicyTerms of Service