AutoTweet Logo
AutoTweet
Security

How we protect your data and your X account

Concrete, verifiable security practices — not buzzwords. Every claim on this page maps to a configuration you can confirm in our response headers, dependency tree, or the X developer portal.

OAuth 2.0 PKCE for X access

We never see, store, or transmit your X password. AutoTweet connects to X using the official X API v2 with OAuth 2.0 PKCE — the same authentication method banks use for delegated access. You can revoke access from your X settings at any time, and AutoTweet immediately loses the ability to post.

HTTPS everywhere, HSTS preloaded

Every byte between your browser and our servers travels over TLS 1.3. The autotweet.io domain is on the HSTS preload list with a 2-year max-age and includeSubDomains — browsers refuse to make plain HTTP connections to us before the first request.

Data minimization

We store the minimum data needed to deliver the product: your email, your X handle, the tweets you ask us to draft or publish, and analytics counts that came back from the X API. We do not collect your followers list, your DMs, or your contacts.

Stripe-only billing — we never see your card

Card data is captured directly by Stripe via tokenization. AutoTweet receives a payment-method ID and a customer ID; we never touch the raw PAN, CVC, or expiration. PCI-DSS scope reduction by design.

Official API only — no scraping

We do not scrape X, run headless Chrome, or simulate browser sessions. Every read and write goes through the documented X API v2 endpoints with rate-limit handling. This is why your account stays safe: there is no behavior pattern X can flag as automation abuse.

Defense-in-depth headers

Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy locking camera/mic/geolocation, and Cross-Origin-Opener-Policy isolating popup contexts. Verifiable at any time via response headers.

What that means specifically

  • Hosted on Vercel (SOC 2 Type 2) with traffic isolated per region
  • Database hosted on Supabase (Postgres) with row-level security policies
  • X access tokens encrypted at rest; refresh tokens rotated automatically
  • X-Robots-Tag: noindex on all API responses (no accidental leakage to search)
  • X-Robots-Tag: noindex on all non-canonical hosts (no preview-URL leakage)
  • Lockfile guard in CI prevents the class of dependency-tampering that caused our May 2026 outage
  • No third-party analytics that fingerprint users (GTM/GA4 optional, lazy-loaded, IP-anonymized)
  • No retention of generated drafts you delete — destroyed at write time
  • No sale of customer data, ever

Responsible disclosure

Found a vulnerability? Email support@autotweet.io with the subject line SECURITY. We triage on the same day, fix critical issues within 72 hours, and credit reporters on the changelog with permission.

Please do not test on production accounts that aren't your own, do not exfiltrate user data, and give us a reasonable window to remediate before public disclosure.

Related reading

Privacy PolicyTerms of ServiceSystem StatusReport a vulnerability