Security

Rankhog is operated by Productized Inc. We are building Rankhog with security, privacy, and compliance readiness in mind. Rankhog is not currently SOC 2 or ISO 27001 certified, and we have not completed a formal external security audit yet.

Rankhog uses trusted cloud providers for production infrastructure. The frontend is hosted on Vercel, the API runs on Railway in the United States, and the database is hosted with PlanetScale.

• All production traffic is protected in transit with HTTPS.
• Provider-managed encryption at rest is used where available.
• Infrastructure access is scoped by person and protected with two-factor authentication.
• We do not use shared production provider credentials.

Secrets are not hardcoded or stored in version control. Credentials, API keys, tokens, webhook secrets, database URLs, and similar secrets are managed through environment variables and provider dashboards. Secrets are rotated when needed.

Rankhog data is scoped by organization and account. Internal access is minimized, limited to operational need, and reviewed as the product evolves. Production data is not used in development or test environments.

Rankhog uses a connected desktop browser for guarded Reddit workflows. Users sign in to Reddit directly in the embedded desktop browser. Rankhog does not store Reddit passwords, Reddit two-factor authentication codes, Reddit OAuth tokens, or raw Reddit profile cookies on Rankhog servers.

• Browser sessions are tied to a workspace, managed Reddit account, and connected desktop device.
• Browser commands are policy-gated before they are queued or run.
• Sensitive or submit-like actions can require explicit user approval.
• Sensitive Reddit account, login, payment, and challenge pages are blocked from browser-control execution.
• Rankhog stores only the metadata needed to verify readiness, route commands, record approvals, and support audits.

Rankhog uses a modern TypeScript and Bun-based stack with pinned dependencies. We review dependency updates, monitor GitHub security alerts, and patch vulnerable dependencies based on severity and product exposure.

If you discover a vulnerability or security issue, please report it privately to anthony@cossistant.com. Please do not open public issues or disclose sensitive details publicly before we have investigated.

We aim to respond within 48 hours and prioritize remediation based on severity, exploitability, and customer impact.

We plan to continue improving Rankhog security with:

• Automated dependency audit and patch workflows.
• Admin-level audit logs.
• Expanded security documentation for customers.
• Stronger encryption and retention controls for support content and uploaded user content.
• SOC 2 and ISO 27001 preparation based on customer needs.

Security is a shared responsibility. Keep your Rankhog account, email account, Stripe account, Reddit account, and connected desktop device secure. If something looks unclear, over-permissive, or potentially exploitable, contact us privately so we can investigate quickly.