Trust

Security and Data Protection

Your content, credentials, and data deserve enterprise-grade protection. ContentEngine encrypts everything at rest, isolates every tenant, and never exposes your API keys - because security should not be a premium feature.

How We Protect Your Data

AES-256-GCM Encryption at Rest

All sensitive data - API keys, OAuth tokens, and workspace configurations - is encrypted using AES-256-GCM before being stored in the database. Each tenant gets a unique encryption key derived from a master key with key rotation support. Even if the database were compromised, encrypted data would be unreadable without the corresponding decryption keys.

Tenant Isolation

Every workspace operates in complete isolation. Database queries are scoped to the authenticated tenant at the ORM level, making cross-workspace data access architecturally impossible. There are no shared tables, no shared encryption keys, and no shared API credentials between tenants. One workspace cannot see, access, or affect another.

API Key Protection

Your OpenAI, Sanity, LinkedIn, and Twitter API keys are encrypted before storage and decrypted only in server-side memory during active use. Keys are never sent to the client-side browser, never included in API responses, never logged in application logs or error reports, and never stored in plain text anywhere in the system.

BYOK - Bring Your Own Keys

ContentEngine uses a BYOK model for AI generation. You provide your own OpenAI API key, which means your AI usage is billed directly by OpenAI, you maintain full control over rate limits and spending, you can revoke access instantly from your OpenAI dashboard, and ContentEngine never has independent access to your AI provider account.

Infrastructure Security

ContentEngine runs in Docker containers with minimal attack surface. The PostgreSQL database enforces connection encryption and strong authentication. Application dependencies are audited regularly for known vulnerabilities. The Node.js runtime is kept current with security patches, and the background worker process runs with limited privileges.

SOC 2 Readiness

ContentEngine is built with SOC 2 compliance principles in mind. Access controls follow the principle of least privilege. All authentication events and data access are logged. Data retention policies are configurable per workspace. The architecture supports the controls required for SOC 2 Type II certification.

Our Security Commitments

All credentials encrypted with AES-256-GCM before database storage
API keys never sent to client-side browser code
API keys never logged in application or error logs
Complete tenant isolation at the database query level
Each workspace uses independently derived encryption keys
OAuth tokens stored encrypted with automatic refresh
HTTPS enforced for all API and web traffic
Regular dependency audits for known vulnerabilities
Configurable data retention policies per workspace
Open source codebase available for security audit

Related Resources

OpenAI Integration

How we handle your API keys securely

Privacy Policy

Our full privacy commitments

Terms of Service

Our terms and data handling policies

Ready to automate your content?

Join thousands of teams creating better content, faster.