1. Infrastructure Security
CoPost is hosted on AWS using Lambda, API Gateway, DynamoDB, and S3. We follow least-privilege IAM roles and network-level protections to isolate services and data.
2. Data Encryption & Token Storage
All OAuth access tokens (Facebook, Instagram, YouTube, etc.) are encrypted at rest using AWS KMS. Communication between services and with users is secured via HTTPS/TLS.
3. Authentication & Access Control
We use OAuth 2.0 for secure user authentication. We do not store your password if you sign in via third-party providers. Internal access is restricted via role-based permissions.
3.1 OAuth Flow via WhatsApp
Users interact with our service via WhatsApp. When you request to connect a platform, we generate a secure, user-specific link that is mapped directly to your WhatsApp account. This personalized link opens in your device's default browser (e.g., Chrome), where you complete the OAuth login and consent process entirely on our verified domain, outside of WhatsApp. This ensures only you can use the link, and your authentication credentials are never exposed within the WhatsApp interface.
This approach provides an additional layer of security by conducting all OAuth operations on our verified domain, where you can verify the authenticity of the authentication process before granting permissions.
4. Operational Security
Our systems are monitored with logging and alerting. We perform regular security reviews and vulnerability assessments to ensure our infrastructure and code remain secure.
5. Third-Party Integrations
By connecting your social accounts, you grant CoPost permission to perform actions on your behalf within the scopes you consent to. We strictly limit the scopes to the minimum needed for functionality.
6. User Controls
You can remove any of your connected social accounts directly from WhatsApp by sending commands like remove account, remove youtube, or remove facebook to our WhatsApp bot. If you need additional help, please contact us at hello@tryat.ai.
7. Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly to hello@tryat.ai. We will acknowledge reports within 5 business days and work to resolve them promptly.
8. Certifications & Compliance
We are actively working towards compliance with recognized security frameworks. As of now, we maintain strict data handling practices and perform regular security assessments.
9. Data Privacy & Sharing
We never sell or share your data with third parties. OAuth credentials and user information are used strictly to perform the features you authorize within Tryat.
10. Data Retention & Account Deletion
Access tokens and data are retained only while your account remains connected. When you remove an account or request deletion, all associated data is permanently deleted within 48 hours.
For security purposes, accounts that remain inactive (no platform usage) for 30 consecutive days will be automatically deactivated. Deactivated accounts will have their access tokens revoked and stored data secured. You can reactivate your account at any time by connecting your social accounts again through WhatsApp.
11. Audit Logs
We maintain secure audit logs for OAuth activity and content publishing events to monitor security and prevent misuse.
12. Contact
For questions about security practices, contact us at:
- Company: TRYAT AI PRIVATE LIMITED
- Email: hello@tryat.ai
- Website: https://tryat.ai
- CIN: U62099TS2025PTC198621