# Security & compliance > Canonical: https://skedsocial.com/security/ > Last updated: 2026-06-03 Sked is SOC 2 Type 2 certified (February 2025). We take data protection seriously because the marketing teams and brands trusting us take it seriously too. Sked Social takes security and privacy seriously for all of our customers. We use the governance, risk and compliance platform Drata to provide continuous monitoring across: - Infrastructure security and monitoring controls (such as encryption policies and firewalls). - Employee and contractor processes for data access (including background checks). - Internal policies for how we process and manage our code and customer data. Our [Terms of Service](https://skedsocial.com/terms-of-service) and [Privacy Policy](https://skedsocial.com/privacy-policy) spell out exactly how we handle customer information. As an Australian company, Sked is also subject to data breach notification obligations under the Privacy Act 1988 (Cth), administered by the Office of the Australian Information Commissioner. ### Six controls that underpin the platform. - **SOC 2 Type 2** — Completed 13 February 2025, independently audited by CPA firm Assurance Lab. Ongoing audit cycle. Report available on request to enterprise customers. - **Data encryption** — In transit via TLS 1.3. At rest via AES-256. Scoped keys per customer tenant. - **Access control** — Role-based access, SSO on Enterprise and Custom, per-brand permissions, detailed audit logs. - **Privacy & DPA** — Compliant with the Australian Privacy Principles and substantively aligned with GDPR. DPA available pre-signature. - **Penetration testing** — Annual third-party penetration testing. Most recent report available under NDA. - **Vulnerability disclosure** — Responsible disclosure at security@skedsocial.com. We acknowledge within 2 business days. ## Vulnerability disclosure policy Sked is committed to the safety and security of our customers and employees. We foster an open partnership with the security research community and recognise the role of vulnerability disclosures in keeping everyone safe. To submit a vulnerability report to Sked's Product Security Team, email security@skedsocial.com. We use the criteria below to prioritise and triage submissions: - Well-written reports in English get the fastest resolution. - Reports that include proof-of-concept code help us triage faster. - Reports that include only crash dumps or automated tool output may be lower priority. Reports covering systems outside the currently-listed Sked Social products may receive lower priority. - Please describe how you found the bug, the impact, and any remediation ideas. - If you plan to disclose publicly, let us know your intended timing so we can co-ordinate. What you can expect from us in return: - A timely response — within 2 business days. - After triage, an expected timeline with as much transparency as possible about remediation (and any issues or delays). - An open dialogue as we investigate. Where communication issues cannot be resolved, Sked may engage a neutral third party to help determine the appropriate handling of the vulnerability. - Notification as each stage of review completes. - Credit after a vulnerability has been validated and fixed. Sked does not currently compensate third-party researchers through bug bounties. ### Legal posture Sked Social will not engage in legal action against individuals who submit vulnerability reports through our reporting inbox. We agree not to pursue legal action against researchers who: Engage in testing or research without harming Sked Social or its customers. Operate within the scope of our vulnerability disclosure programme. Test on products without affecting customers, or receive permission and consent from customers before testing on their devices or software. Comply with the laws of their location and Sked Social's location. Refrain from disclosing vulnerability details publicly before a mutually agreed timeframe expires. We ask that researchers comply with our Terms of Service. ## Whistleblower reporting To anonymously report a violation of our information security programme or related laws, please contact our external counsel Paul Noonan at [paul@noonanlegal.com.au](https://skedsocial.com/mailto:paul@noonanlegal.com.au). Below: what we expect from you when submitting a report, and what you can expect from Sked Social in return. ### What we expect from you A detailed report made in good faith or based on a reasonable belief. Good Faith means the truthful reporting of a company-related violation of information security policies, procedures, or regulations — not a report made with reckless disregard or wilful ignorance of facts. Reasonable Belief refers to your subjective belief in the truth of the disclosure, AND that any reasonable person in a similar situation would objectively believe the same based on the facts. Details of the violation — what, how, why. Details of the reported event — who, where, when. You are not responsible for investigating the alleged violation or determining fault or corrective measures. ### What you can expect from Sked Your report will be submitted to the security committee for review. Protection of your identity and confidentiality. (Note: it may be necessary to disclose your identity when a thorough investigation, compliance with the law, or due process for accused members requires it.) Protection against retaliation and harassment — including termination, compensation decreases, poor work assignments, or threats of physical harm. If you believe you are being retaliated against, contact external counsel immediately. Any retaliation or harassment against you will result in disciplinary action. (Note: your protection against retaliation does not include immunity for any personal wrongdoing alleged in the report and investigated.) Due process for you and for the accused member(s). Corrective actions to resolve a verified violation, plus a review and enhancement of applicable policies and procedures where necessary. Continuous information security awareness training and clarity on your rights as a whistleblower.