Security Overview

YouTube creators trust us with their channel data, their content pipeline, and their team's work. This page explains how we handle that responsibility.

Your data is yours

We don't sell your data. We don't share it with advertisers. We don't use it to train AI models. Your scripts, thumbnails, analytics, and revenue data exist in Feedzy to help you and your team make better content. Nothing else.

YouTube and Google API access

Feedzy requests exactly two YouTube permissions:

• “See, edit and delete your videos” — required for uploading videos and swapping thumbnails during A/B tests. Google bundles upload, edit, and delete into a single permission. We cannot request upload access without the rest. Every YouTube tool that offers uploads requests this same scope.
• “View monetary and non-monetary YouTube Analytics reports” — required for displaying your channel analytics (views, watch time, subscribers, revenue) inside your workspace and for measuring A/B test performance.

That's it. We removed every other permission we could. The “Manage my YouTube channel” permission that many YouTube tools request is not used by Feedzy.

We use OAuth 2.0 Authorization Code Flow to connect your accounts, so Feedzy never sees or stores your Google password. Access tokens are short-lived and automatically refreshed. If one were compromised, it expires quickly. Refresh tokens for YouTube channels are encrypted at rest. If our database were somehow leaked, no one could use them to access your channel.

What Feedzy does with this access:

• Uploads videos you approve from inside Feedzy
• Runs A/B thumbnail tests by swapping thumbnails on your published videos
• Reads your analytics (views, watch time, subscribers, revenue) to display in your workspace

What Feedzy never does:

• Deletes any video or content from your channel
• Edits or modifies existing videos without you initiating it inside Feedzy
• Takes any autonomous action on your channel
• Shares your YouTube data with anyone

You can disconnect your channel at any time and we immediately stop accessing your data.

Authentication

Passwords are hashed using bcrypt. If our database were compromised, your password cannot be revealed to anyone, including us.

Two-factor authentication secrets and recovery codes are encrypted at rest. 2FA verification codes are rate-limited to prevent automated guessing.

Sessions are managed with HTTP-only cookies using a SameSite policy, which prevents malicious scripts or third-party sites from hijacking your session. Login attempts are rate-limited (5 per minute) to slow down brute-force attacks.

Sensitive data such as passwords and tokens are never exposed in API responses, even to authenticated users.

Encryption

All data in transit between your browser and Feedzy is encrypted using TLS/SSL. Database connections are encrypted with SSL/TLS. Every connection is encrypted, no exceptions.

All files stored in Laravel Cloud's S3-compatible storage are encrypted at rest using server-side encryption. Database backups are also encrypted. Refresh tokens and 2FA secrets are encrypted at the application level on top of infrastructure encryption.

Access controls

Role-based permissions let workspace owners control exactly what each team member can do, from editing content to managing YouTube connections. No one gets more access than they need.

Team invitations use unique, time-limited tokens tied to a specific email address, preventing unauthorized users from joining your workspace. Guest access is scoped and isolated, so external collaborators can only view what you've explicitly shared with them.

Revenue data (earnings, RPM, CPM) is separated from general analytics within the permissions system, so owners can restrict who sees financial information.

Workspace isolation

Every Feedzy workspace is completely isolated at the database level. Your content, team members, and analytics are never visible to other organizations on the platform. Queries are scoped to the authenticated workspace, preventing data from leaking between workspaces.

Our verification system is designed to never reveal whether a specific email address has an account, protecting users from targeted attacks.

Infrastructure

Feedzy runs on:

• Laravel Cloud (built on AWS) with automated scaling and DDoS protection
• Vercel with edge network delivery for the frontend
• Laravel Cloud (S3-compatible object storage) with server-side encryption for file storage
• Resend for transactional email (sending from noreply.feedzy.io to protect domain reputation)
• Paddle for payments (merchant of record, handling all payment processing, tax, and PCI compliance on their own domain)

Your credit card information never touches our servers. Paddle handles the entire checkout flow on their domain.

All secrets and credentials are stored in secure environment variables, never hardcoded in source code.

Application security

Feedzy is built with standard protections against common web vulnerabilities:

• All forms and API requests are protected against cross-site request forgery (CSRF)
• Cross-origin requests are restricted to trusted domains only
• All database queries use parameterized statements, protecting against SQL injection
• Every user input is validated and sanitized before processing
• Sensitive fields are stripped from all API responses

Monitoring and error tracking

We use Sentry for real-time error tracking across both the frontend and backend. When something breaks, we typically know about it before users report it.

PostHog (hosted in the EU) provides product analytics. Session recordings mask all sensitive fields (passwords, personal identifiers) by default.

Data handling and deletion

When you delete content in Feedzy, it's removed from the live platform. Uploaded files are removed from storage within 24 hours of deletion.

Deleting a workspace, chat channel, or user account deletes every associated resource: files, messages, tasks, A/B test data, everything. This cannot be undone.

Automated backups through Laravel Cloud ensure your data can be recovered in case of unexpected incidents. Deleted data may persist in backup snapshots for a limited period before being cycled out.

Account deletion can be requested at any time by emailing support@feedzy.io.

Employee access

We're a small team, which means fewer people with access and more accountability. Access to production systems is restricted to essential personnel only. We follow the principle of least privilege — no one has broader access than their role requires.

Infrastructure accounts use scoped IAM permissions, not shared root credentials, and all credentials are stored securely.

Compliance

Feedzy is operated by ThumbMastery LLC, a Delaware limited liability company.

We design our practices to align with applicable data protection regulations including GDPR (for EU/UK users) and CCPA (for California users). Our analytics infrastructure (PostHog) is hosted in the EU.

We're early on the compliance journey and transparent about that. As Feedzy grows, we plan to pursue additional certifications. If you have specific compliance questions, email us and we'll give you a straight answer.

Reporting security issues

If you discover a security vulnerability, report it to support@feedzy.io. We take all reports seriously and will respond promptly.

Questions

If you have questions about how we handle security or your data, email us at support@feedzy.io.