Product security and trust controls

OAuth tokens for every connected YouTube channel are encrypted at rest using AES-256-GCM, a symmetric authenticated cipher that provides both confidentiality and tamper detection. Tokens are decrypted in memory only at the moment an API call is issued, and raw key material never appears in logs or error traces.

The platform does not store video content, channel passwords, or Google account credentials. The only data retained from the OAuth flow is the access and refresh token pair, the YouTube channel ID, and the channel display name — the minimum set required to fetch analytics on the user's behalf.

Authentication is handled by Clerk, which provides session management, multi-factor authentication, and device-level session revocation. Users can view active sessions and sign out remotely from any device at any time through account settings.

API keys issued through the developer API are scoped per-organization and can be rotated or revoked independently without affecting other keys in the same account. Key rotation does not require re-authorization of connected YouTube channels.

Security researchers who discover potential vulnerabilities are encouraged to report them through the official security contact channel listed at /security.txt. The team reviews all disclosures and responds to substantive reports within five business days.

The platform maintains a public privacy policy and GDPR documentation describing what data is collected, how it is used, the lawful basis for processing, and how users can request deletion or export of their data.