Sign in

Security at EdgeRank

Last updated: 2026-04-30

Template — review required before publishing

This document is a working template provided as a starting point. It is not legal advice. Replace bracketed placeholders, adapt clauses to your specific operations, and have qualified legal counsel review before publishing or relying on it.

Security is foundational to running an SEO platform that touches your live website. This page describes how we protect your data, our infrastructure, and how to reach our security team.

Infrastructure

EdgeRank runs on a small set of well-known providers, each chosen for security posture and operational maturity:

  • Cloudflare — edge worker, CDN, DNS, DDoS protection. SOC 2 Type II, ISO 27001.
  • Vercel — application hosting. SOC 2 Type II.
  • Supabase — Postgres database, authentication, object storage. SOC 2 Type II.
  • Stripe — payments. PCI DSS Level 1 certified.

Data encryption

  • In transit: all traffic to and from EdgeRank is encrypted with TLS 1.3. We enforce HTTPS sitewide via HSTS.
  • At rest: production data is encrypted at rest using AES-256 by our infrastructure providers.
  • Secrets: API keys, OAuth tokens, and other secrets are stored encrypted in the database and accessed only by server-side code.

Authentication and access control

  • User passwords are hashed with bcrypt.
  • OAuth-based sign-in is supported (Google).
  • Internal staff access to production systems is restricted by role, requires multi-factor authentication, and is logged.
  • The application enforces row-level security so customers can access only their own sites and data.

Application security

  • Server-only code is enforced at build time via the server-only package and Next.js compiler — secrets and database queries cannot leak into client bundles.
  • Input validation on all API endpoints; parameterized database queries prevent SQL injection.
  • Rate limiting and abuse detection on public endpoints.
  • Dependencies scanned for known vulnerabilities; security patches tracked and applied on a defined schedule.

Backup and recovery

Production database backups run continuously with point-in-time recovery for the last [7] days. Backups are encrypted and tested regularly. Our recovery time objective (RTO) is [4 hours]; recovery point objective (RPO) is [1 hour].

Incident response

We maintain an incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a confirmed personal data breach, we notify affected customers within [72 hours] of discovery, in line with GDPR Article 33.

Compliance

  • GDPR / UK GDPR: we honor data subject rights (access, deletion, portability) and offer a Data Processing Agreement to customers — see DPA.
  • CCPA: California residents can request access and deletion via privacy@edgerank.app.
  • SOC 2: [planned for [date] — adjust as your program progresses].

Reporting a vulnerability

If you believe you've found a security vulnerability in EdgeRank, please report it to security@edgerank.app. We aim to acknowledge within [2 business days] and resolve confirmed issues as quickly as practical.

Please do not access or modify customer data without authorization, and avoid actions that degrade Service availability for others. We will not pursue legal action against researchers acting in good faith and in accordance with this policy.

Subprocessors

For the full list of subprocessors that may process customer data, see our Privacy Policy.