Security

How Mandalar Ltd protects your data and Facebook tokens.

Data storage

All data is stored on Supabase, hosted on AWS infrastructure in the European Union. Database access is restricted by row-level security so users can only access their own data.

Facebook tokens

Facebook Page access tokens are stored server-side and never exposed to the browser. Tokens are used only to publish posts on your behalf at the times you schedule. We never sell or share your tokens with third parties.

Transport security

All traffic to and from PostFlow is encrypted with TLS 1.3. Connections to Facebook's Graph API use HTTPS exclusively.

Payments

Payments are processed by Stripe, which is PCI-DSS Level 1 certified. Mandalar Ltd never sees or stores your card details.

Account security

• Passwords are hashed with bcrypt before storage
• Session tokens are HTTPS-only and httpOnly
• Forgot-password flow uses one-time tokens that expire after 1 hour

Reporting security issues

If you discover a security vulnerability, please email hello@mandalar.app with details. We will respond within 24 hours and credit you publicly if you wish.