Product security and trust controls

OAuth tokens for every connected YouTube channel are encrypted at rest using AES-256-GCM, a symmetric authenticated cipher that provides both confidentiality and tamper detection. Tokens are decrypted in memory only at the moment an API call is issued, and raw key material never appears in logs or error traces.

The platform does not store video content, channel passwords, or Google account credentials. The only data retained from the OAuth flow is the access and refresh token pair, the YouTube channel ID, and the channel display name — the minimum set required to fetch analytics on the user's behalf.

This minimal data approach means that even in the event of a data breach, the exposed information is limited to token pairs that can be individually revoked. No viewer data, video metadata, or channel credentials are ever stored on TubeAnalytics infrastructure beyond what is strictly necessary for the analytics service to function.

Authentication is handled by Clerk, which provides session management, multi-factor authentication, and device-level session revocation. Users can view active sessions and sign out remotely from any device at any time through account settings.

API keys issued through the developer API are scoped per-organization and can be rotated or revoked independently without affecting other keys in the same account. Key rotation does not require re-authorization of connected YouTube channels.

Session management follows least-privilege principles: each session is tied to a specific device and browser, and sessions can be individually terminated from the account dashboard without logging out other active sessions. MFA enforcement is available for Enterprise accounts and recommended for any account with API key access.

Security researchers who discover potential vulnerabilities are encouraged to report them through the official security contact channel listed at /security.txt. The team reviews all disclosures and responds to substantive reports within five business days.

The platform maintains a public privacy policy and GDPR documentation describing what data is collected, how it is used, the lawful basis for processing, and how users can request deletion or export of their data.

All security reports are tracked and users who submit validated vulnerability reports receive confirmation within 48 hours, an initial assessment within five business days, and ongoing status updates throughout the remediation process.

TubeAnalytics is hosted on Vercel's infrastructure and uses Upstash Redis for caching. All data in transit is protected by TLS 1.3. Database backups are encrypted and retained for 30 days with automated point-in-time recovery available.

The platform undergoes regular dependency scanning and automated security auditing through GitHub's Dependabot and npm audit. Critical and high-severity vulnerabilities are patched within 72 hours of a fix becoming available.