Skip to main content

Security

Last updated: June 21, 2026

IP Bot is built trust-first. Below is an overview of how we protect your data and your connected accounts. This is a summary, not an exhaustive specification.

Authentication & access

  • User sign-in is handled by Amazon Cognito; we never store your password.
  • Programmatic access uses scoped, per-user API keys that you can create and revoke at any time, and that resolve only to your own account.
  • Access to your data follows least-privilege: a key or token can only act as its owner.

Data protection

  • Data is encrypted in transit (TLS) and at rest using managed AWS services.
  • Third-party credentials and platform secrets are stored in encrypted secret stores (AWS SSM SecureString), never in source code or the browser.
  • Connections to Instagram, HubSpot, WordPress, YouTube and others use OAuth — we request the minimum scopes needed and you can disconnect at any time.

Human-in-the-loop by design

Automations that publish to your audience pass through a review gate. Your agent can draft and schedule, but nothing goes live until it's approved — by you, a teammate, or a tokenized review link. Powers only spend Winds on success, and failed runs are refunded.

Responsible disclosure

If you believe you've found a security vulnerability, please report it privately via islandpitch.com/support before disclosing publicly. We'll acknowledge your report and work with you on a fix. Please do not access or modify data that isn't yours while testing.