🔒

Encryption

How Votriz protects your data at rest, in transit, and during processing.

Last reviewed 2026-04 · Engineering · Owned by AI Safety Officer

Overview

Votriz encrypts all sensitive data using industry-standard algorithms. No sensitive data is stored in plaintext. Encryption keys are stored in hardware-backed secure storage, isolated from application code. Keys are never stored in source code, configuration files, or environment variables on disk. Key rotation is supported without service interruption.

Encryption at rest

Social platform tokens

OAuth tokens for every connected platform (Instagram, LinkedIn, Twitter, TikTok, YouTube) are encrypted per-row using Fernet.

Algorithm: AES-128-CBC + HMAC-SHA256 authentication (Fernet)
Implementation: the Python cryptography library
Key storage: hardware-backed secure storage (HSM)
Key rotation: supported — rewrite all rows with the new key

raw_token  →  Fernet.encrypt(raw_token)  →  channels.access_token (DB)
DB read    →  Fernet.decrypt(ciphertext) →  used for API call →  discarded

Database

PostgreSQL 15 runs on encrypted volumes. Backup streams are encrypted at the storage layer with a 30-day rolling retention and a monthly restore drill.

Passwords + MFA codes

Account passwords: bcrypt with work factor 12, never plaintext
MFA backup codes: bcrypt-hashed individually; plaintext returned to the user once at setup, then forgotten by the server
MFA recovery tokens: bcrypt-hashed, plaintext only in the one-time email link

Encryption in transit

External traffic

TLS 1.3, terminated at Cloudflare's edge network
HSTS enforced (Strict-Transport-Security header)
Certificate auto-renewed by Cloudflare
No traffic reaches the origin server unencrypted

Internal traffic

All container-to-container communication runs on a Docker bridge network, single host
No service ports exposed publicly except 80/443 via Cloudflare
API-to-LLM and API-to-Resend calls are HTTPS

Security headers

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Key management

Key	Storage	Rotation
JWT signing secret	Hardware-backed secure storage (HSM)	On compromise — invalidates all sessions
Token encryption key	Hardware-backed secure storage (HSM)	Rewrite all `channels` rows with the new key
API keys (Anthropic, fal.ai, Resend, Stripe, etc.)	Hardware-backed secure storage (HSM)	Per-provider, on rotation
Database password	Hardware-backed secure storage (HSM)	Container restart
Redis password	Hardware-backed secure storage (HSM)	Container restart

Every key is namespaced and isolated from application code; no key is readable from the application runtime except via the secure storage interface at process start.

What is NOT encrypted

Honest scope: a few categories are intentionally unencrypted.

Public marketing site assets (HTML, CSS, JS, images)
Aggregate analytics counters that contain no PII (post counts, engagement rates rolled up at brand level)
Brand names + industry metadata — the brand sets these to surface them publicly

If a category isn't on this list, it's encrypted at rest.