Byline Security Practices

1. Security program

Byline uses technical and organizational safeguards designed to protect accounts, customer content, connected platform tokens, billing metadata, and production systems. Security controls evolve as the product and risk profile change.

This page describes current practices for transparency. It is not a guarantee that any system is immune from security incidents.

2. Authentication and authorization

• User authentication is handled through a managed authentication system.
• Sensitive app routes are protected by server-side authentication checks.
• Admin areas are separated from normal user routes and gated by admin checks.
• OAuth account linking uses state verification and short-lived, httpOnly cookies for CSRF protection.

3. Social token protection

Byline protects connected platform access tokens and refresh tokens using encryption and access controls before storing them. Credentials are accessed only when needed for the connected-account feature you request or authorize.

Users can disconnect supported platform accounts from settings. Disconnecting removes Byline's stored connection data for that platform and may also require revoking the app from the platform's own account settings.

4. Data protection

• Production data is hosted with managed infrastructure providers.
• Network traffic uses HTTPS in production.
• Database access is separated between authenticated user access, server-side operations, and admin operations.
• Customer workspaces are keyed by user account and product authorization checks.
• Backups, logs, and provider-level retention may exist for operational resilience, security, and legal reasons.

5. Monitoring and incident response

Byline uses error logging, operational logs, rate limiting, idempotency controls, retry controls, and internal admin tools to monitor reliability and abuse risk.

If we determine that a security incident affects personal information or connected platform data, we will investigate and provide notifications required by law, contract, or platform policy. If an incident could reasonably affect LinkedIn API content, LinkedIn services, or LinkedIn members, we will handle platform notification according to LinkedIn's applicable requirements.

6. Vendor security

Byline relies on specialized providers for hosting, authentication, payments, email, bot prevention, error monitoring, AI processing, connected-platform access, and research retrieval. We select providers based on product need, security posture, and contractual commitments appropriate for the service.

7. Vulnerability reporting

Please report suspected vulnerabilities to support@byline.work. Include the affected URL or feature, steps to reproduce, impact, and your contact information.

Do not access, modify, delete, exfiltrate, or disrupt data that is not yours. Do not perform denial-of-service testing, deceptive staff impersonation, physical attacks, spam, or testing that harms Byline, users, platforms, or providers.

8. Compliance status

Byline has not published a SOC 2, ISO 27001, HIPAA, PCI DSS service provider, or similar compliance report. Payment card and payment account processing is handled by the payment provider or merchant of record; Byline does not store full card numbers.