Security

• Data at Rest: All sensitive credentials (CMS API keys, OAuth tokens, SSH keys) are encrypted using AES-256-GCM with HMAC-SHA256 key derivation from a secure server-side secret
• Data in Transit: All communications use TLS 1.3 encryption. HSTS headers enforce HTTPS across all endpoints
• Password Hashing: User passwords are hashed using bcrypt with a cost factor of 12 — we never store or transmit plain text passwords
• OAuth Tokens: Google Search Console and Analytics OAuth refresh tokens are encrypted at rest and refreshed automatically via secure server-side flows
• Database: PostgreSQL database hosted on Supabase with encryption at rest enabled by default

• Vercel (Application Hosting): SOC 2 Type II certified, automatic DDoS protection, isolated serverless functions, automatic TLS certificate management
• Supabase (Database): SOC 2 compliant PostgreSQL with row-level security, encrypted backups, and network isolation
• Edge Network: Global CDN with automatic SSL, HTTP/3 support, and Web Application Firewall (WAF)
• No SSH Access: Our serverless architecture eliminates traditional server management — there are no SSH ports to attack
• Environment Variables: All secrets stored in Vercel's encrypted environment variable vault — never in source code or git history

• Role-Based Access Control (RBAC): Three roles — Admin (full access), User (client dashboard), Viewer (read-only reports). Each role has strictly scoped permissions
• Authentication: NextAuth.js with Google OAuth 2.0 and secure credential-based login. Session tokens use HttpOnly, Secure, SameSite=Strict cookies
• Route Protection: Server-side middleware validates authentication and role on every request to /dashboard/* and /api/* routes
• API Authentication: All API routes verify session tokens server-side. Cron job routes require a separate CRON_SECRET for Vercel scheduled tasks
• Client Isolation: Each client's data is isolated via database foreign keys — users can only access their own client records

• No Client-Side Database Access: All database queries run server-side through API routes — the database is never exposed to the browser
• Input Validation: All API inputs validated with Zod schema validation to prevent injection attacks
• SQL Injection Prevention: Prisma ORM with parameterized queries — no raw SQL execution
• XSS Prevention: React's automatic escaping, Content Security Policy headers, and no dangerouslySetInnerHTML usage
• CSRF Protection: NextAuth.js CSRF tokens on all authentication forms

CMS API keys and server credentials follow a strict security lifecycle:

We use multiple AI providers. Here's how data is protected at each:

• Complete Audit Trail: Every automated content modification is logged with before/after snapshots, timestamp, and change type
• Immutable Logs: Change logs cannot be edited or deleted by users — only system administrators with database access can manage logs
• Cron Job Tracking: All automated cron jobs (daily rankings, weekly audits, GEO scans) are logged with start time, status, and client count
• Alert History: All ranking drop alerts, audit score changes, and GEO visibility shifts are permanently logged

• Detection: Automated monitoring for unusual access patterns, failed authentication attempts, and API anomalies
• Notification: Affected users notified within 72 hours of confirmed breach (per GDPR Article 33)
• Remediation: Immediate credential rotation, access revocation, and forensic investigation
• Reporting: Relevant supervisory authorities notified as required by applicable law

If you discover a security vulnerability, please report it responsibly:

We appreciate responsible disclosure and will work with researchers to address issues promptly.