Security & Privacy

Exactly where we are — what's built, what isn't, and what's next.

Medialyst is an early-stage product. This page tells you the truth about our security posture. We'd rather lose a deal than overclaim a control we haven't earned.

security@medialyst.ai

Last updated June 23, 2026

TL;DR

HTTPS everywhere, AES-256-GCM for connected credentials, hashed API tokens, per-org data scoping with Postgres RLS on sensitive tables, zero data retention across all AI providers, and Better Auth sessions.

No SOC 2 yet. No enforced MFA yet. No contractual data residency yet. SOC 2 Type 1 is planned when customer demand justifies the investment.

Talk to us at security@medialyst.ai before procurement — we'll meet you in the middle on most enterprise asks.

In place today

✓HTTPS everywhere; SSL database connections

✓AES-256-GCM encryption for connected credentials

✓Hashed API tokens — raw values never persisted

✓Per-org data scoping + Postgres RLS on sensitive tables

✓Zero data retention (ZDR) across all AI providers

✓No Medialyst-owned models trained on customer data

Not yet — and we'll say so

—Enforced MFA / passkeys

—SOC 2 / ISO 27001 certification

—Contractual data residency / region pinning

—Customer-facing audit-log export

On this page

Encryption Tenant isolation Authentication AI providers PII Retention & deletion Audit logging What we don't claim Subprocessors Roadmap Report a vulnerability

01 · Data protection

Encryption

All customer traffic is served over HTTPS.

Database connections use SSL (sslmode=require on Supabase-style URLs).

Connected third-party API keys and OAuth tokens are encrypted at the application layer with AES-256-GCM using an application-managed master key.

Medialyst-issued public API keys and OAuth access tokens are stored as hashes — raw values are never persisted after issuance.

File access via S3-compatible storage uses short-lived signed URLs.

02 · Data protection

Tenant isolation

Customer data is scoped by organization. Sensitive application routes verify that the requesting user or API key belongs to the organization before returning or mutating data. Selected high-value tables also enforce Postgres row-level security as defense-in-depth.

We're actively tightening org-scoping coverage on the remaining routes and expanding RLS across more tables — see the roadmap below.

03 · Access & identity

Authentication

Better Auth for application authentication.

Magic-link and social login (Google, Microsoft).

Secure, HTTPS-only session cookies.

Organization owner/admin roles gate sensitive actions (API key management, billing, member changes).

04 · AI & data

AI providers

Product AI calls (campaign analysis, workflow automation, table operations, journalist/contact classification) route primarily through OpenRouter, which fronts models from Google, Anthropic, and OpenAI. Embeddings and a small set of internal tooling call OpenAI directly.

Zero data retention is enabled across all AI providers, and Medialyst does not train Medialyst-owned models on customer data.

What AI features may see

User prompts, campaign material, scraped company content, workflow rows, journalist names and publication context, contact values, and generated outreach.

Zero data retention is configured across every AI subprocessor — providers aren't retaining prompts or outputs beyond the live request. Need this reflected contractually (DPA, store: false attestations, or no-training terms)? We'll put it in writing during procurement.

05 · AI & data

PII

PII handled: user names and emails, organization metadata, journalist contact data, media-list/workflow data, connected-account metadata, email-send metadata, campaign content, and operational logs.

Some AI workflows process PII when it's part of the customer prompt, campaign material, or workflow row being analyzed. We redact selected sensitive tokens from operational logs; we don't run automatic PII redaction before every AI call.

06 · Governance

Data retention & deletion

Users and organization owners can initiate account or organization deletion. Org-scoped database records cascade on org deletion; user deletion removes the user from marketing audiences and cancels subscriptions.

Backup retention and vendor-side deletion windows vary by subprocessor and will be confirmed in writing for any customer that needs a specific guarantee in their contract.

07 · Governance

Audit logging

We log public API requests, OAuth token issuance, connected email-send events, workflow failures, and application errors — used for debugging, abuse investigation, and operational support. Customer-facing audit-log export isn't shipped yet.

The honest version

What we don't claim — yet

In order of customer-facing impact. If any of these are dealbreakers, email us before you start procurement so we can scope honestly.

No enforced MFA / passkeys.

Planned

No SOC 2 / ISO 27001. Type 1 is the planned first step.

Planned

No contractual data residency or region pinning. We can confirm current production regions on request.

On request

No blanket “hard delete across all systems and backups” guarantee.

Scoped per deal

No customer-facing audit-log export.

Planned

No documented incident-response runbook published externally.

Planned

Dealbreaker on this list?security@medialyst.ai

08 · Transparency

Subprocessors

Current as of June 23, 2026. Updated when we add or remove vendors.

Vendor	Purpose	Region
Vercel	Web hosting + serverless runtime	US (default)
Supabase / Postgres	Application database	Confirmed on request
Cloudflare R2	File / object storage (S3-compatible)	Provider-managed
Trigger.dev	Background workflow orchestration	US
OpenRouter	AI model gateway (Anthropic, Google, OpenAI)	Provider-managed
OpenAI	Direct: embeddings on customer content	US
Stripe	Billing	US / EU
Loops	Product email	US
Resend	Transactional email	US
Sentry	Error monitoring	US / EU options
PostHog	Product analytics	US / EU options
Google Gmail API	Optional customer-connected sending	Customer-controlled
Microsoft Graph / Outlook	Optional customer-connected sending	Customer-controlled
Instantly, Reply.io	Optional customer-connected outreach	Provider-managed

09 · What's next

Roadmap

In rough priority order. We don't commit to dates here.

Enforced MFA / passkey support at the organization-policy level.

Finish org-scoping audit across remaining product routes; expand RLS.

Publish per-provider ZDR attestations and DPAs for download.

Publish region commitments for production database and storage.

Incident-response runbook + customer notification SLA.

Customer-facing audit-log export.

SOC 2 Type 1 readiness assessment.

10 · Disclosure

Reporting a vulnerability

Email security@medialyst.ai. Include:

Description of the issue

Affected URLs or accounts

Reproduction steps if available

Whether you believe customer data may be at risk

We respond within two business days.