Security & Privacy

Built to protect your data

Every layer of Solaris from Instagram tokens to payment processing is designed with security first. Here is exactly how we protect you.

AES-128-CBC Encryption HMAC-SHA256 Integrity Stripe Payments GDPR & CCPA Compliant
Instagram Connection & DM Security
How we handle your Instagram account and messages
OAuth. We Never See Your Password
Official API
Instagram handles authentication
You log in directly on Instagram's servers via OAuth. Solaris never receives or stores your password, we only get a secure access token.
Encrypted access token storage
Your Instagram access token is encrypted at rest using AES-128-CBC and can only be used by the app to send replies on your behalf.
Revoke access anytime
You can disconnect Solaris from your Instagram account at any moment from your Solaris dashboard or directly from Instagram's app settings.
Direct Message Encryption
Encrypted
AES-128-CBC encryption
Every DM stored in our database is encrypted using AES-128-CBC. Raw message text is never saved in plain form.
HMAC-SHA256 integrity check
Each encrypted payload is tagged with an HMAC-SHA256 signature to detect and reject any tampering before decryption.
URL-safe base64 key format
Encryption keys use a URL-safe base64 encoding, ensuring safe transport and storage without exposure.
Data Lifecycle & Auto-Deletion
What happens to your DM data from arrival to deletion
7-Day Automatic Purge Policy
Auto-deleted
DM arrives via Instagram Webhook
Instagram sends the message payload to our secure endpoint over HTTPS/TLS.
Encrypted and stored in database
The payload is encrypted with AES-128-CBC and tagged with HMAC-SHA256 before being saved. No one can read it in plain text.
AI pipeline processes the message
The decrypted content is used only within the processing pipeline to build context and generate a reply. It is not shared externally.
Reply sent back via Instagram Graph API
The AI-generated reply is sent using your encrypted access token. The response goes through Instagram's official API only.
Permanently deleted after 7 days
All message data is automatically and irreversibly purged from our systems on day 7. No manual action required.

Minimal retention by design. We retain DM data only as long as strictly needed for the AI pipeline. After 7 days, it is deleted permanently.

Payment Security
Billing handled entirely by Stripe, we never touch your card
Powered by Stripe Checkout
PCI Compliant
We never store your card details
All payment information is entered directly on Stripe's servers. Solaris never sees, handles, or stores card numbers, CVVs, or bank details.
Stripe is PCI DSS Level 1 certified
Stripe holds the highest level of certification in the payment industry. Your financial data is protected by the most rigorous security standards available.
Encrypted Stripe Customer ID only
The only billing reference we store is your Stripe customer ID that is encrypted in our database. This ID can do nothing without Stripe's API.
Webhook signature verification
Every billing event from Stripe is verified using Stripe's webhook signature before we act on it, preventing any spoofed billing updates.
Account & Personal Data
How your profile, phone, and sensitive fields are stored
Encrypted Sensitive Fields
Phone number is encrypted at rest
Stored in an encrypted column. Not accessible in plain text even from the database directly.
Passwords are hashed, never stored
Passwords use PBKDF2-SHA256 hashing. We store only the hash, even our own team cannot recover your password.
Lead contact data is encrypted
Instagram usernames and sender IDs collected from leads are stored encrypted, limiting exposure if the database is ever breached.
Account Control
Delete your account anytime
A single action from your account settings permanently erases your profile, tokens, conversations, products, and billing history.
Submit a data deletion request
If you only want personal data erased without closing your account, you can submit a formal GDPR deletion request and we'll act within 30 days.
Avatars on Cloudinary, not our servers
Profile images are stored on Cloudinary with access control. They are never stored on Solaris database servers.
Transport & Infrastructure
Secure channels and async architecture
Architecture Security
Always-on
HTTPS / TLS everywhere
All traffic between your browser, Instagram's API, and our servers is encrypted in transit.
Async Celery worker processing
Message pipelines run in isolated async workers. A crash in one conversation cannot affect another.
Redis debounce guard
Rapid successive messages are deduplicated via Redis so the AI never processes the same message twice.
Rate limiting & retry backoff
All outbound LLM API calls include exponential backoff and rate-limit protection, preventing runaway requests.

No raw message data in logs. Our application and error logs contain only non-sensitive metadata — no message content, tokens, or personal data is ever written to log files.

Compliance & Standards
Regulations and policies we follow
Regulatory Compliance
GDPR
Right to access, correct, and delete your data. 30-day response guarantee.
CCPA
California Consumer Privacy Act. We do not sell your personal information.
Meta Platform Policy
Full compliance with Meta's Developer Policies, Platform Terms, and API usage rules.
PCI DSS (Stripe)
Payment Card Industry standards maintained by Stripe. We never enter PCI scope.
Data Minimisation
We collect only what is strictly necessary to run the service. Nothing more.
Auto-Deletion
DM data automatically purged after 7 days. No manual cleanup required.
Questions about your data?
Read the full Privacy Policy, Terms of Service, or contact our team directly at privacy@solaris.app
Privacy Policy Terms of Service Data Deletion