Compliance and Security Summary
Public reviewer-facing summary of controls, scope, and operator evidence.
Last Updated: March 11, 2026
Security Controls
| Control Area | Current Behavior |
|---|---|
| OAuth Token Handling | Token bundles are stored server-side only and never returned in public API payloads. |
| Disconnect / Revocation | In-app disconnect path attempts Google revocation and removes persisted token records. |
| Session Protection | Signed session cookies with CSRF/origin enforcement on mutating actions. |
| Rate / Quota Safety | Runtime send limiters and quota restriction stages prevent unsafe automation behavior. |
| Operational Logging | Short-lived operational telemetry/log retention with rolling expiry. |
Reviewer Evidence Bundle
| Evidence Item | Where to Verify |
|---|---|
| Public Legal Pages | Terms, Privacy, Contact |
| YouTube/Google Policy References | Third-party policy links on Privacy |
| Scope to Feature Mapping | OAuth mapping section on Privacy |
| Disconnect / Revocation Path | Authenticated dashboard account menu action: Disconnect Channel |
| Tester Access Workflow | Home page tester request flow and onboarding guidance |
| Support / Escalation | wannaseemyrod@gmail.com (target response within 7 calendar days) |
Auditability and Operations
RODbot maintains deploy-gated smoke/compliance checks and incident runbooks for release discipline. The production release process requires strict verification and authenticated smoke checks prior to deployment.
For reviewer support, contact wannaseemyrod@gmail.com.