Security & Data Protection

How Lyncly protects your Instagram tokens, your audience data, and your business — from storage to transmission.

Security checklist

  • AES-256-GCM encryption for all Instagram access tokens
  • X-Hub-Signature-256 webhook verification with timing-safe compare
  • Idempotency keys prevent duplicate webhook processing
  • Supabase Row-Level Security on all user tables
  • HttpOnly + Secure cookies — no token exposure to JavaScript
  • Official Instagram Business Login OAuth — password never touches Lyncly
  • Meta-compliant data deletion endpoint (HMAC-signed)
  • TLS in transit for all database and API connections
  • appsecret_proof on all server-side Meta Graph API calls
  • No password storage, no browser automation, no credential sharing

Token Encryption

  • Every Instagram access token stored in Lyncly is encrypted at rest using AES-256-GCM — authenticated encryption that detects tampering.
  • Tokens are encrypted before they ever reach the database. The encryption key lives exclusively in an environment variable; it is never logged, cached, or sent to a third party.
  • On read, tokens are decrypted in-memory only for the duration of the API call, then discarded.

Webhook Verification

  • Every incoming Instagram webhook is verified using X-Hub-Signature-256 — an HMAC-SHA256 signature computed with your app secret.
  • Lyncly uses a timing-safe comparison (crypto.timingSafeEqual) to prevent timing-based signature-forgery attacks.
  • Replays are prevented by idempotency keys: duplicate webhook deliveries (Meta retries for up to 36 hours) are detected and silently dropped.

Database & Row-Level Security

  • Lyncly's database runs on Supabase (PostgreSQL), hosted in the United States, with Row-Level Security (RLS) policies on every user-facing table.
  • RLS ensures that even a compromised query cannot read another user's campaigns, leads, or DM logs.
  • Database connections use TLS in transit. Prisma ORM is used for all queries; raw SQL is limited to health checks.

Authentication

  • Lyncly uses Supabase Auth with Instagram Business Login (official OAuth 2.0). Your Instagram password is never entered on Lyncly — it goes directly to Meta's servers.
  • Session tokens are stored in HttpOnly, Secure, SameSite=Lax cookies. They are never exposed to JavaScript.
  • All dashboard routes are protected at the middleware layer (Supabase SSR); unauthenticated requests are redirected before any data is fetched.

Third-Party Data Sharing

  • Lyncly uses the following third-party services, each limited to the data required for their function: Supabase (database), Stripe (payments), Resend (transactional email), Upstash (rate-limiting counters), PostHog (product analytics), Inngest (background job orchestration).
  • No Instagram follower data is sold or shared with advertisers. DM content is stored only to generate analytics and is never read by Lyncly staff.
  • Stripe handles all payment card data. Lyncly never sees or stores card numbers.

Data Deletion

  • Meta requires all apps to provide a data-deletion endpoint. Lyncly implements this at POST /api/auth/facebook/deletion using a signed_request verified with HMAC-SHA256.
  • You can also delete your own account and all associated data at any time from Dashboard → Settings → Delete Account.
  • Upon deletion: your encrypted Instagram token, campaign data, leads, and DM logs are permanently removed from our database within 24 hours.

Responsible Disclosure

Found a security vulnerability? Please email security@lyncly.io before disclosing publicly. We aim to respond within 48 hours and will credit responsible reporters.