Security
Last updated: June 10, 2026
At Creator Offload, we take the security of our platform and your data seriously. This page describes our current security practices in plain, honest terms. We are an early-stage bootstrapped startup and our security posture reflects that — we have implemented the fundamentals correctly and we are continuously improving as the platform matures.
If you discover a security vulnerability, please see the Responsible Disclosure section at the bottom of this page.
1. Infrastructure and Hosting
Creator Offload is hosted on infrastructure provided by established cloud providers with industry-standard physical and network security controls. Our infrastructure benefits from:
- Physical security: Managed by our cloud infrastructure provider, including 24/7 surveillance, access control, and environmental monitoring.
- Network security: Firewall rules, network segmentation, and DDoS mitigation at the infrastructure layer.
- Redundancy: Our database and application layers are designed with redundancy to reduce the risk of service interruption.
We do not operate our own data centers.
2. Data Encryption
In Transit
All data transmitted between your browser (or API client) and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and do not serve content over unencrypted HTTP. API connections require TLS.
At Rest
Customer data stored in our database — including creator profiles, content metadata, rights records, and account information — is encrypted at rest using AES-256. File assets (images, videos, and other uploaded content) are stored in encrypted object storage.
Payment Data
Payment card data is handled entirely by Stripe, a PCI-DSS Level 1 certified payment processor. Creator Offload never receives, transmits, or stores raw card numbers, CVCs, or magnetic stripe data.
3. Access Controls
Internal Access
Access to production systems and customer data by Creator Offload team members is restricted to those with a specific business need. We apply the principle of least privilege — each team member has only the access necessary to perform their role.
Multi-Factor Authentication
Multi-factor authentication (MFA) is enforced for all Creator Offload team members accessing production infrastructure. MFA is available to all customers via authenticator app.
Role-Based Access Control (RBAC)
Within the platform, customer workspaces are isolated from one another. Within a workspace, access is governed by role-based permissions — team members can be assigned roles that limit their access to specific functions and data sets.
Session Management
Authenticated sessions use short-lived, cryptographically signed tokens. Sessions expire after a period of inactivity and can be revoked from account settings.
4. Application Security
We follow secure coding practices during development, including:
- Input validation and output encoding to prevent injection attacks
- Protection against common web vulnerabilities (OWASP Top 10)
- Dependency management with regular updates to address known vulnerabilities
- Code review for security-sensitive changes
Our API uses token-based authentication. API tokens are scoped to specific workspaces and can be revoked at any time from the account dashboard. Rate limiting is enforced on all API endpoints to prevent abuse.
5. Data Backup and Recovery
We perform regular automated backups of customer data. Backups are encrypted and stored separately from the primary data systems. We test our restore procedures periodically to verify that backups are usable. We retain daily backups for a minimum of 7 days and weekly backups for 30 days. Specific recovery point objectives (RPO) and recovery time objectives (RTO) are available to Enterprise customers upon request.
6. Vulnerability Management and Penetration Testing
Current state (startup-stage honesty): We conduct internal security reviews and use automated vulnerability scanning tools as part of our development and deployment pipelines. We have not yet completed a formal third-party penetration test of the full platform. We plan to engage a third-party security firm for a penetration test as the platform approaches general availability and will update this page when that assessment is complete.
7. Incident Response
We have a documented incident response plan that covers detection, containment, investigation, notification, and remediation. In the event of a security incident affecting customer data:
- Detection: We use monitoring and alerting to detect anomalous activity on our infrastructure and application layer.
- Containment: Affected systems or accounts are isolated to limit the scope of a potential incident.
- Investigation: We investigate the nature, scope, and root cause of the incident.
- Notification: For incidents meeting the threshold of a personal data breach, we notify affected customers without undue delay and within 72 hours of becoming aware.
- Remediation: We address the root cause and implement measures to prevent recurrence.
8. Subprocessor Security
We assess the security practices of our subprocessors before engaging them and require that they maintain appropriate security controls. Our current Day-0 subprocessors — Stripe (payments), Resend (transactional email), and Google (OAuth) — are established providers with publicly documented security programs and relevant certifications.
9. Compliance and Certifications
Current state: Creator Offload is an early-stage startup. We do not yet hold SOC 2 Type II certification or ISO 27001 certification. We are building our information security program with these frameworks as a target. Enterprise customers with specific compliance requirements are encouraged to contact us to discuss our current controls and roadmap.
We adhere to GDPR data processing obligations under our Data Processing Agreement and have implemented the technical and organizational security measures described in that document.
10. Employee Security
All Creator Offload team members undergo security awareness training. Employees with access to sensitive systems are subject to background checks where applicable. We have a clear offboarding process that revokes system access promptly when team members depart.
11. Responsible Disclosure (Bug Reporting)
We appreciate the work of security researchers and the broader security community. If you discover a potential security vulnerability in Creator Offload, we ask that you:
- Report it privately to security@creatoroffload.com before publicly disclosing it.
- Include enough information for us to reproduce the issue: a description of the vulnerability, steps to reproduce, the potential impact, and your contact details.
- Give us a reasonable amount of time to investigate and remediate the issue before public disclosure (we ask for a minimum of 90 days for non-critical issues; critical issues will be triaged urgently).
- Do not access, modify, or delete customer data during your research. Do not perform denial-of-service testing or social engineering attacks against our team or customers.
We commit to:
- Acknowledging your report within 3 business days.
- Providing regular updates on our investigation.
- Notifying you when the issue is resolved.
- Not pursuing legal action against researchers who act in good faith and follow these guidelines.
We do not currently have a formal bug bounty program, but we recognize and appreciate responsible disclosure. We are willing to discuss recognition for significant findings.
Security contact: security@creatoroffload.com
12. Contact and Questions
If you have security questions that are not answered here, or if you are an Enterprise customer with specific security requirements, contact us at security@creatoroffload.com. We are happy to share additional information about our security program under a mutual NDA where appropriate.