How we protect your creator business.

Gmail refresh tokens are encrypted with libsodium secretbox before they ever touch our database. Only our application servers can decrypt them, and only when a job needs to run on your behalf. The database alone is not enough to read your inbox connection.

Instagram, TikTok, and YouTube OAuth tokens are held by our social API partner, Zernio. We store only an opaque account identifier in our database, which means a breach of krably's servers cannot expose your raw platform tokens.

Billing and creator product checkout both run through Stripe. We never store your card number, bank account, or tax ID. Creator product payouts flow directly to your own connected Stripe account — not through krably.

Every webhook from Stripe and Zernio is signature-verified before we process it, and each event is deduped by event ID so a replay attack cannot double-apply a charge or a post. Background jobs run on a monitored queue with retry and failure alerting.

Authentication is handled by NextAuth with industry-standard session tokens. Sign-in options include Google OAuth and email-and-password with hashed, salted credentials. Every authenticated route enforces ownership — you only see data tied to your account.

When you click Draft reply or Polish, the relevant text is sent to our AI provider (OpenAI) to generate the draft. We do not persist the request, we do not train models on your content, and AI never runs on your inbox unless you trigger it yourself.

If you believe you have found a security issue, please email us before disclosing it publicly. We will respond quickly and coordinate a fix. A formal responsible-disclosure policy and bug-bounty program are in the works.