Security at Distinctful

Distinctful follows a practical security model aligned with modern security fundamentals: govern risk, identify sensitive systems, protect access and data, detect abnormal behavior, respond to incidents, and recover service safely.

The product is designed as a multi-tenant SaaS application. Customer data is logically scoped by account and user ownership checks. Product code is expected to enforce authorization at service and route boundaries before customer data is read or changed.

• Traffic is served over HTTPS/TLS.
• Production responses include security headers such as HSTS where applicable.
• Connected-platform access tokens are encrypted at rest.
• Secrets are kept out of client bundles and managed through controlled environment configuration.
• Payment card data is handled by Stripe or another designated payment processor, not stored directly by Distinctful.
• Data access is limited to what is needed to operate, support, debug, secure, and improve the Service.

Distinctful uses managed authentication infrastructure and application-level authorization checks to protect account access. Sensitive product operations are expected to validate the authenticated user and the ownership of the resource being accessed.

Customers are responsible for protecting their login methods, controlling access to their email account, reviewing connected platform permissions, and disconnecting providers they no longer want Distinctful to access.

Distinctful is built to use OAuth or other provider-approved authorization flows where available. We do not ask users to share third-party platform passwords. OAuth scopes are requested based on the integration purpose, and tokens are used only to deliver the product workflows the user authorizes.

You can disconnect supported platforms in Distinctful settings or through the provider's own authorization controls. Disconnecting a provider removes or invalidates Distinctful's stored access where technically supported.

Distinctful uses logging, error monitoring, queue/runtime checks, and deployment health signals to identify failures and suspicious behavior. When a security incident is suspected, we prioritize containment, investigation, credential or token rotation where needed, remediation, and legally required notification.

If a provider outage or API change affects a connected workflow, Distinctful may pause syncs, disable affected functionality, surface recovery guidance, or require users to reconnect a platform.

Distinctful relies on reputable infrastructure and service providers for hosting, authentication, database, payments, email, analytics, monitoring, queues, and connected-platform APIs. Provider security programs are part of our overall risk model, but each provider remains responsible for its own systems.

Distinctful does not claim that every provider, integration, or connected platform offers identical security controls, availability, retention rules, or compliance posture.

Distinctful is not designed for regulated health information, classified data, payment card storage, or other categories that require specialized compliance programs unless a separate written agreement says otherwise.

Distinctful does not currently represent that it is SOC 2, HIPAA, PCI DSS, ISO 27001, or GDPR certified as an organization. We use service providers with their own security and compliance programs where appropriate.

If you believe you found a vulnerability, email security@distinctful.com with a concise description, affected URL or endpoint, reproduction steps, impact, and your contact information.

Do not access, modify, delete, exfiltrate, or disclose data that does not belong to you. Do not degrade service, run destructive tests, use social engineering, or test against third-party providers. We do not currently operate a paid bug bounty program.

• Use a secure email account and strong authentication for your Distinctful login.
• Grant only the third-party platform permissions you intend to use.
• Review connected platforms periodically and disconnect what you no longer need.
• Avoid placing regulated, highly sensitive, or unnecessary personal data into Distinctful.
• Report suspected account compromise or unauthorized provider activity promptly.