Serious about
your
accounts.
You're handing us access to brand Pinterest accounts. We treat that the way we'd want our own handled — with strong controls, minimal footprint, and full visibility into every action.
We never touch your passwords.
Pinterest connections use official OAuth flows. Your credentials stay between you and Pinterest.
OAuth, not passwords
Pinterest connections use official OAuth 2.0. We never see, store, or ask for your Pinterest password. You can revoke access from Pinterest at any time.
Role-based access
Reviewer, publisher, admin, and owner roles — scoped per workspace. No user has more access than their job requires.
Full audit logs
Every auth event, publish action, and admin operation is logged with actor, timestamp, and IP. Exportable on request.
Encrypted in transit and
at rest.
Standard encryption across the stack. Your content and tokens are not commingled with other customers.
Encryption in transit & at rest
All traffic uses TLS 1.2 or higher. Data at rest is encrypted using AES-256. OAuth tokens and secrets are stored in a managed key management service.
Isolated per-tenant data
Workspaces use isolated database schemas. Your content, pins, and analytics are not accessible to other customers — by design, not policy.
Not used for model training
We do not train foundation models on your articles, pins, or analytics data. Ever. Your content is yours — see our privacy policy.
We'd rather publish less
than trip a platform.
Rate limits, review gates, and spacing rules ensure PinFlicker never publishes in a way that could put your account at risk.
Rate-limited publishing
We respect Pinterest's API rate limits and publish guidelines. Pins are spread across boards and accounts according to configurable daily caps — no spam-style bursts, no same-board flooding.
Human review gate
Nothing publishes without passing a review queue. Auto-approve rules are available but disabled by default — every pin starts with a human in the loop.
Built on reliable
foundations.
- Cloud infrastructure. Hosted on AWS with multi-availability-zone redundancy. Daily encrypted backups. Automated failover.
- Isolated tenant data. Per-workspace database schemas with no cross-tenant data access paths.
- SSO support. SAML-based single sign-on available on Custom and Enterprise plans.
- Incident response. Documented incident response playbooks. We commit to notifying affected customers within 24 hours of a confirmed security incident.
- SOC 2 Type II readiness. In progress. A readiness summary is available under NDA on request — contact security@pinflicker.com.
- Security testing. Penetration testing is part of our security program and planned as a requirement for SOC 2 readiness.
What we will never do.
Found something? Tell us.
If you believe you've found a security vulnerability in PinFlicker, please report it to us privately before publishing. We take all reports seriously and commit to acknowledging them within 48 hours.
How to report
Email security@pinflicker.com with a description of the issue, steps to reproduce, and any supporting evidence. Please encrypt sensitive details with our PGP key if you have access to it.
Our commitment to you
We will acknowledge your report within 48 hours, keep you updated on resolution progress, credit you publicly (if you want), and not pursue legal action for good-faith disclosures within the scope of this policy.
In scope: app.pinflicker.com, API endpoints, authentication flows, data isolation, and any service that handles customer data. Out of scope: social engineering, physical attacks, denial-of-service testing, or third-party services beyond our control.
Questions
about
security?
Talk to us directly. We don't hide behind a ticket queue on this one.