# Security & compliance > Canonical: https://skedsocial.com/security/ > Last updated: 2026-04-23 Sked is SOC 2 Type 2 certified (February 2025). We take data protection seriously because the marketing teams and brands trusting us take it seriously too. Sked Social takes security and privacy seriously for all of our customers. We use the governance, risk and compliance platform Drata to provide continuous monitoring across: - Infrastructure security and monitoring controls (such as encryption policies and firewalls). - Employee and contractor processes for data access (including background checks). - Internal policies for how we process and manage our code and customer data. Our [Terms of Service](https://skedsocial.com/terms-of-service) and [Privacy Policy](https://skedsocial.com/privacy-policy) spell out exactly how we handle customer information. ### Six controls that underpin the platform. - **SOC 2 Type 2** — Completed 13 February 2025 with independent audit by Assurance Lab. Ongoing audit cycle. Report available on request to enterprise customers. - **Data encryption** — In transit via TLS 1.3. At rest via AES-256. Scoped keys per customer tenant. - **Access control** — Role-based access, SSO on Enterprise and Custom, per-brand permissions, detailed audit logs. - **Privacy & DPA** — Compliant with the Australian Privacy Principles and substantively aligned with GDPR. DPA available pre-signature. - **Penetration testing** — Annual third-party penetration testing. Most recent report available under NDA. - **Vulnerability disclosure** — Responsible disclosure at security@skedsocial.com. We acknowledge within 2 business days. ## Vulnerability disclosure policy Sked is committed to the safety and security of our customers and employees. We foster an open partnership with the security research community and recognise the role of vulnerability disclosures in keeping everyone safe. To submit a vulnerability report to Sked's Product Security Team, email security@skedsocial.com. We use the criteria below to prioritise and triage submissions: - Well-written reports in English get the fastest resolution. - Reports that include proof-of-concept code help us triage faster. - Reports that include only crash dumps or automated tool output may be lower priority. - Please describe how you found the bug, the impact, and any remediation ideas. - If you plan to disclose publicly, let us know your intended timing so we can co-ordinate. What you can expect from us in return: - A timely response — within 2 business days. - After triage, an expected timeline with as much transparency as possible about remediation (and any issues or delays). - An open dialogue as we investigate. - Notification as each stage of review completes. - Credit after a vulnerability has been validated and fixed. Sked does not currently compensate third-party researchers through bug bounties. We will not pursue legal action against researchers who operate within our disclosure policy and the law. ## Whistleblower reporting To anonymously report a violation of our information security programme or related laws, please contact our external counsel Paul Noonan at [paul@noonanlegal.com.au](https://skedsocial.com/mailto:paul@noonanlegal.com.au). You are not responsible for investigating the alleged violation or determining fault. Your report is submitted to the security committee for review. We protect reporters against retaliation and harassment, and provide due process for all parties.