Security
Built for teams that take customer data seriously.
We treat Auto SEO like infrastructure, not a side project. Here's how we approach security, what we've already done, and what we're actively improving.
Encryption in transit & at rest
All traffic is TLS 1.2+. Data at rest is encrypted with AES-256. Stripe handles all card data — we never see a card number.
Scoped credentials, never long-lived
Integration tokens (WordPress, Shopify, Webflow, …) are scoped per-site, rotated quarterly, and revocable from your dashboard.
SOC 2 program (in progress)
We're running an active SOC 2 Type II program with quarterly evidence collection. NDA-protected security packet available on request.
GDPR by default
Data subject requests are honored in 30 days. Export and deletion are self-serve from settings. Sub-processors are listed in our DPA.
Backups & disaster recovery
Encrypted, point-in-time backups every 6 hours; restorable to any point in the last 30 days. Multi-region failover for the API.
Defense in depth
Strict CSP (rolling out enforced), HSTS preload, CORP, COOP. Application code runs in least-privilege containers behind a managed WAF.
Frequently asked
Where is data stored?
Primary data lives in US-East. Optional EU residency is available on Agency plans.
Can I bring my own encryption keys?
Yes on Enterprise — we support customer-managed KMS keys for at-rest encryption of customer data.
How do you handle penetration testing?
We run quarterly third-party pen tests and monthly internal automated scans. Reports available under NDA.
Who can access my data internally?
Engineers access customer data only when responding to a support ticket the customer raised. Every access event is logged and reviewable.
What happens if I cancel?
Data is retained for 30 days for restore, then permanently deleted. You can trigger immediate deletion from the dashboard.
Report a vulnerability
Security disclosures: security@autoseo.it.com. We acknowledge within 24 hours and run a coordinated disclosure process.