ViralMonkey · viralmonkey.ai · Legal

Security & Responsible Disclosure

Effective: 2 June 2026 · Version 1.0
Our security commitment: ViralMonkey handles OAuth tokens granting access to users’ social media accounts. We take that responsibility seriously. This page explains our security architecture, how we respond to incidents, and how to report a vulnerability responsibly if you find one.
On this page
  1. 1. Security Architecture
  2. 2. What We Do With Your Platform Tokens
  3. 3. Incident Response
  4. 4. Responsible Disclosure
  5. 5. Bug Bounty
  6. 6. Contact

1. Security Architecture

Data protection
  • All data in transit: TLS 1.2+ enforced
  • OAuth tokens: AES-256 via AWS KMS
  • Encryption key never stored in database
  • Token rotated on reconnect or suspected compromise
  • Passwords: bcrypt via AWS Cognito — irrecoverable
  • Database: DynamoDB with row-level access control
Infrastructure
  • AWS EU-West (Ireland / Frankfurt) — GDPR compliant
  • IAM least-privilege across all AWS services
  • VPC isolation for sensitive workloads
  • CloudWatch alarms and dead-letter queues
  • Cloudflare: DDoS protection, WAF, rate limiting
  • No secrets in code — all via AWS Secrets Manager
Access control
  • User data access: account owner only via Cognito JWT
  • OAuth tokens: decrypted only at API call time
  • No employee has standing access to production data
  • Privileged access via break-glass procedures only
  • All admin actions logged in CloudTrail
Monitoring and response
  • CloudWatch alerts on anomalous API call patterns
  • Rate limiting on all public endpoints
  • Automated account suspension on suspicious activity
  • Security reviews before launch and periodically
  • Incident response plan with ICO 72-hour notification

2. What We Do With Your Platform Tokens

When you connect X (Twitter) — or future platforms — ViralMonkey receives an OAuth access token. Here is precisely what happens to it:

  1. Token received from platform OAuth handshake
  2. Immediately encrypted with AES-256 using AWS KMS before any storage
  3. Stored encrypted in DynamoDB — the plaintext token never touches persistent storage
  4. When you trigger an action (post, reply, comment): token retrieved, decrypted in memory, API call made, decrypted token discarded from memory
  5. Token is never logged, never included in analytics, never transmitted to any third party
  6. Token invalidated and deleted when you disconnect your platform account
If you suspect your connected account has been compromised, immediately disconnect it in ViralMonkey (Settings → Connected Accounts → Disconnect) and from the platform directly, then contact security@viralmonkey.ai.

3. Incident Response

0–24h
Incident identified → severity assessment → affected systems isolated → internal escalation triggered
24–72h
Root cause analysis → UK ICO notified if personal data at risk → affected user notification prepared
72h+
Affected users notified directly (if high risk to them) → remediation deployed → post-incident review completed

Notifications to affected users include: what happened, what data was involved, what we have done, and what steps you should take.

4. Responsible Disclosure

If you discover a security vulnerability in ViralMonkey, we ask you to disclose it to us responsibly. We are a small team and we take every report seriously.

How to report

🔒 Security Vulnerability Reports
security@viralmonkey.ai
Please include: description of the vulnerability; steps to reproduce; potential impact; any proof-of-concept (non-destructive only). We will acknowledge your report within 2 business days and provide updates at least every 7 days.

Our commitments to researchers

  • We will acknowledge your report within 2 business days
  • We will not take legal action against good-faith researchers who follow this policy
  • We will work with you to understand and validate the issue
  • We will notify you when the vulnerability is fixed
  • We will credit you in our security acknowledgements if you wish

Scope

✓ In scope
  • viralmonkey.ai and subdomains
  • ViralMonkey web application
  • Authentication and session management
  • OAuth token handling
  • API endpoints
  • Data exposure vulnerabilities
✕ Out of scope
  • Social engineering or phishing attacks
  • Denial of service attacks
  • Accessing other users’ accounts without permission
  • Physical security
  • Third-party services (AWS, Stripe, X)
  • Issues requiring unlikely user interaction
Please do not: Access, modify, or delete other users’ data; disrupt production services; publicly disclose vulnerabilities before we have had a reasonable opportunity to fix them (we ask for 90 days); conduct automated scanning that degrades service availability.

5. Bug Bounty

We do not currently operate a paid bug bounty programme. We offer public acknowledgement for responsibly disclosed vulnerabilities. We will review this policy as the product grows.

6. Contact

Security issues: security@viralmonkey.ai
General privacy: privacy@viralmonkey.ai
Abuse reports: abuse@viralmonkey.ai

v1.0 · 2 June 2026 · Initial publication