Security, compliance,
and your data
Everything enterprise buyers, procurement teams, and security reviewers need to complete due diligence on FeedGuardians — in one place.
The official badges
Current status of every certification, framework, and platform approval that matters to enterprise procurement.
Meta App Review Approved
FeedGuardians is an approved Meta Business Partner. Our Instagram and Facebook integrations have passed Meta's App Review process for page_read_engagement, pages_manage_engagement, instagram_manage_comments, and instagram_manage_insights scopes.
TikTok Business Partner
FeedGuardians is registered as a TikTok Business Solution Partner with approved access to the TikTok Content Posting API and Comment Moderation API.
SOC 2 Type II
FeedGuardians is currently in the SOC 2 Type II audit observation period with an external auditor. Letter of Engagement and progress documentation available on request for enterprise customers.
GDPR Compliance
FeedGuardians is GDPR compliant for EU and UK customers. We act as a data processor under Article 28, with a signed Data Processing Agreement available as part of all enterprise contracts.
CCPA Compliance
FeedGuardians complies with the California Consumer Privacy Act. Users and end-users whose comments are processed can exercise CCPA rights via our privacy portal.
DPA (Data Processing Agreement)
A signed Data Processing Agreement is available for all customers on Pro and Enterprise plans. Contact [email protected] to request the current version.
Six trust pillars
Encryption in transit and at rest
All data transmitted to and from FeedGuardians uses TLS 1.3. All data at rest in our primary database and backups is encrypted with AES-256. Encryption keys are managed through a Key Management Service and rotated on a 90-day schedule.
OAuth-only platform access
FeedGuardians never asks for platform passwords. Instagram, Facebook, TikTok, and YouTube are connected via official OAuth flows, and access tokens are encrypted at rest and never exposed to any client. You can revoke access at any time from the platform side or from your FeedGuardians settings.
Principle of least privilege
FeedGuardians requests the minimum permission scopes required to moderate comments. We do not request access to DMs unless DM moderation is explicitly enabled. We do not request access to ads account billing data, insights data, or any scope that is not directly required for the moderation function.
Per-account data isolation
Customer data is logically isolated at the tenant level. Moderation rules, classifications, audit logs, and billing are scoped to a single customer account. Internal access is role-based and logged.
Data retention and deletion
Comments are processed in memory for classification and retained only in aggregated form for your dashboard. Raw comment content is retained for 30 days for audit and retraining, then deleted. Customers can request full data deletion at any time — executed within 30 days of request.
Subprocessor transparency
FeedGuardians maintains a public list of all subprocessors (infrastructure, AI model providers, support tools) and provides 30 days notice before adding any new subprocessor. Enterprise customers can subscribe to subprocessor update notifications.
Every third party that touches your data
We maintain a transparent list of every subprocessor and notify enterprise customers 30 days before adding a new one.
Who to reach for what
Report vulnerabilities or request a penetration-testing engagement window.
Data processing agreements, subject access requests, and deletion requests.
Enterprise contracts, security questionnaires, and procurement reviews.
Procurement & security questions
When a comment is posted on your connected platform, FeedGuardians receives it via webhook or API polling, classifies it, and takes the action you have configured (hide, approve, auto-reply, escalate). The raw comment content is retained for 30 days in encrypted storage for audit and classification-model retraining, then automatically deleted. Only aggregate statistics (counts, sentiment averages, categories) are retained beyond 30 days.
FeedGuardians hosts data in AWS regions. North American customers are hosted in us-east-1 by default; EU customers are hosted in eu-west-1. Enterprise customers can request specific region pinning. Backups are encrypted and stored in the same region as the primary database.
Yes, comment classification is performed via OpenAI and Anthropic APIs — but both providers are configured with zero data retention mode, meaning comment content is not stored on their infrastructure and is not used for training their foundation models. This is contractually enforced via our API agreements with both providers.
Yes. A signed DPA is available for all Pro and Enterprise customers at no additional cost. The DPA follows the standard GDPR Article 28 structure with Standard Contractual Clauses for international transfers. Contact [email protected] for the current version.
FeedGuardians is currently in the SOC 2 Type II observation period with an external auditor. The Type II report is expected within the standard audit window. We can provide a Letter of Engagement and SOC 2 Type I report on request for enterprise customers conducting due diligence.
Yes. When you cancel, you have 30 days to export any data you want to keep from the dashboard. After 30 days, we automatically delete all raw comment data and audit logs tied to your account. You can also request immediate deletion by emailing [email protected] — we execute within 72 hours.
We maintain an incident response plan with defined severity levels and escalation paths. In the event of a security incident affecting customer data, we commit to notifying affected customers within 72 hours and providing a root cause analysis within 14 days. Enterprise customers can subscribe to proactive security advisories.
Yes. We complete CAIQ, SIG Lite, and custom enterprise security questionnaires as part of standard procurement for Enterprise customers. Reach out via [email protected] to initiate a questionnaire.
Need custom documentation?
Our team is ready.
Enterprise security questionnaires (CAIQ, SIG, custom), pen test windows, and DPA negotiation all handled in-house.
Contact Security Team