SEOJuice Security Practices
SEOJuice is a privacy-first web analytics startup that’s built to enable you to comply with GDPR, CCPA and other privacy regulations that impact your business. You entrust us with your site data and we take that trust to heart. We’re committed to being transparent, securing your data, eliminating systems vulnerability and ensuring continuity of access.
TL;DR
Here’s a brief summary of our data security practices:
- All data is encrypted in transit
- All visitor data is irreversibly hashed and regularly wiped
- All data is hosted in the EU on EU-owned servers
- User passwords are hashed and salted
- Our software is updated multiple times per week
- There is a public changelog
- Regular vulnerability scans are conducted
- All data is backed up on remote backups
- Data access is firewalled and user-restricted
- Our JS Snippet code is transparent and you can audit it.
- Performance is monitored and uptime is disclosed
- Data can be exported via CSV
- We don’t collect nor store any personal or sensitive data
- We don’t store debit/credit card details
- We don’t store any data outside the EU
- We don’t outsource our software development
- We don’t outsource our infrastructure management
- We don’t sell, share or in any other way monetize your data
Here’s a more detailed overview of the technical and organizational security measures we use to secure SEOJuice and protect your data.
Data minimization
SEOJuice is a privacy-first tool so we don’t collect or store personal or sensitive data. Even though the purpose of SEOJuice is to insert automated SEO links into your website, this can be done without tracking, collecting or storing any personal data or personally identifiable information (PII), without using cookies and while respecting the privacy of your website visitors.
We minimize data collection in general.
Personal data
We don’t use cookies, browser cache or local storage. We don’t store, retrieve or extract anything from visitor’s devices. The data we process cannot be used to identify any single individual.
Every HTTP request to the Snippet and to the API Endpoint sends the IP address and the User-Agent to the server. This data is used only for logging in case of errors. No Personal data is being recorded or stored for processing.
The raw data IP address and User-Agent are wiped from the server after 2 weeks.
Data encryption
To protect against access, modification or theft of the data, the data is encrypted in transit and at rest. Our hashing process increases the security of your visitor data by making it irreversible.
Our hashing process provides robust security for your data. Unlike encryption, which is a reversible process using a decryption key, hashing irreversibly transforms your data into a unique string of characters. The use of salts in our hashing process adds an extra layer of protection by preventing the original IP addresses from being revealed in a brute force attack.
In our database, the raw IP address and user agent are completely inaccessible to anyone, including us.
Server location
All the site data we do collect is kept encrypted in Germany on servers owned by a German company (Hetzner). This ensures that all of the website data is being covered by the European Union’s strict laws on data privacy. Your website data never leaves the EU and EU-owned cloud infrastructure.
Data ownership
You own all right, title, and interest to your website data. We obtain no rights from you to your website data. We don’t collect and analyze personal information from web users and use these behavioral insights to sell advertisements. When using SEOJuice, you 100% own and control all of your website data. We don’t sell or share your site data to any third-parties, and we don’t abuse your visitor’s privacy.
Data portability
You can export your data at any time in the CSV Format.
Data deletion
You are fully in control of any of the website links that we create on your behalf. We claim no rights. It’s your data. You can permanently delete your SEOJuice account and/or permanently delete all of your site data within your settings at any time.
User identification and authorization
Passwords for signing in are hashed and salted.
Data sharability
We give you complete control over how you choose to share the data you collect. Only you can invite and remove users and apply permission levels in your account.
Internal access controls
Our team doesn’t have a reason to access or process customer data on a day to day basis. Processing is fully automated. It’s only if there’s a problem with an account or to help resolve a customer support question that we might need to access your data.
We use role-based access controls. Access to our servers is strictly limited to specific individuals within our team. We log all logins to help us identify and investigate potential security breaches. Additionally, we use multi-factor authentication to prevent unauthorized access to our systems.
Backups and disaster recovery
In the unlikely event of a loss of production data, we have a disaster recovery plan in place. Your data is not only safely stored, but also easily recoverable. We also perform offsite backups.
Subprocessors
We’ve tried hard to limit external services that we use and none of them have access to see or download the data. No third-party vendors are involved other than the hosting company that owns the servers where our data is stored (Hetzner) and our global CDN (Bunny). Both are European-owned companies.
For full details, take a look at our privacy policy.
Payment information
All our payments are processed through Paddle. Paddle is PCI DSS SAQ A compliant. Using Paddle means we don’t need to store your payment card details and other payment information. They are sent encrypted directly to Paddle. We don’t store them anywhere.
Physical security
SEOJuice is hosted within data centers provided by Hetzner. As such, we take advantage of their physical, environmental and infrastructure controls. Hetzner is accredited with the ISO 27001 security certificate which covers their physical security controls.
For further information about the security of the server and the hardware itself, here’s what Hetzner says about their security practices.
Availability and infrastructure monitoring
We do extensive application and infrastructure monitoring. We maintain redundancy throughout our infrastructure in order to minimize the risk of low or slow availability or loss of data. We aim to provide continuous availability.
Our commitment to an uninterrupted service includes the use of robust security measures such as rate limiting and DDoS protection to provide resilience and ongoing availability.
In addition to these measures, we actively monitor data ingestion and service health from various geo locations. This global monitoring strategy allows us to proactively identify and address any potential issues, ensuring a seamless experience for users across different regions.
Software quality assurance
SEOJuice is updated several times per week. We use an ever-expanding and comprehensive set of automated tests running after each code change as part of our software quality assurance. This complements our software development practices which include code reviews.
Data privacy and other legal documents
Our legal docs including our terms of service, privacy policy, and data processing agreement are all publicly available and include the full details on what we do and how. These docs are written to answer specific questions about our data privacy practices.
Reporting security problems
If you’ve found a security vulnerability with the SEOJuice codebase, you can disclose it responsibly by sending a summary to us. We’ll review the potential threat. We appreciate your patience and understanding that some reports will take time to fix and the process may involve a review of our codebase for similar problems. It’s crucial we can trust you not to disclose the vulnerability to anyone until a few days after we release the fix.
We’re incredibly thankful for people who take the time to share their findings with us. Whether it’s a tiny bug that you’ve found or a security vulnerability, all reports help us to continuously improve SEOJuice for everyone. Thank you!
Security questions or concerns?
If you have any questions or concerns regarding our security practices, please contact me.
Last updated: August 17, 2024