Honest disclosure

State of security at ItzSEO.

This page tells you what's actually true today — not what we'd like to claim, not what's on a roadmap dressed up as a feature. If a SOC2 badge isn't below, it's because we don't have SOC2 yet. We'll add it the day we earn it.

In place today

What's real, verified, live.

TLS everywhere

All marketing + app traffic served over TLS 1.2+. Cloudflare in front of every request. HSTS enforced. No HTTP fallback.

Stripe handles all payment data

Card numbers never touch our servers. Stripe is PCI-DSS Level 1. We store only the Stripe customer ID + subscription ID — the same way Shopify and most modern SaaS do it.

Database isolation

Neon Postgres with workspace-level row scoping enforced in lib/workspace.ts. Every query passes through buildTaskVisibilityFilter or equivalent. Cross-workspace data leaks audited 3 times this year (and fixed).

Hostinger + Cloudflare infra

Application runs on Hostinger VPS with auto-deploy from GitHub. Cloudflare provides DDoS protection + edge caching + Web Application Firewall. Hosted in EU/US regions.

Least-privilege OAuth scoping

Google Search Console: webmasters.readonly. Google Analytics 4: analytics.readonly. Meta Ads: ads_read only. We never request write scopes for read-only integrations.

2FA available

Sign in with Google / GitHub OAuth (which can have 2FA enforced upstream). Email-magic-link sign-in available. App-level 2FA on the roadmap for owner-level accounts.

What we DON'T have

No SOC2. No ISO 27001. No HIPAA BAA.

If your organization requires any of these certifications to onboard a vendor, ItzSEO is not the right tool yet. We'll get there — but every SaaS company in our weight class would lie to you and we won't.

• SOC2 Type II — Targeted 2027. We're documenting controls now.
• ISO 27001 — Considering for 2027–2028 after SOC2 is in place.
• HIPAA — Not on the roadmap. ItzSEO isn't built for protected health information.
• GDPR DPA on request — Available for EU customers. Email hello@itzseo.com for a copy.
• Penetration testing — Internal audits only so far. External pen-test scheduled for Q4 2026.

Your data, your control

No lock-in commitments.

Export anytime

CSV export of keywords + ranks + content + engagements + HR records. WordPress + Shopify articles stay on your CMS — we never gate publish history.

Delete on cancel

Cancel from /settings/billing in one click. We delete workspace data within 30 days unless you ask us to keep it longer (some teams need data for tax audits).

No model training

Your content is NOT used to train any AI model. Claude API calls pass through Anthropic with their no-training-by-default API contract. We don't aggregate customer data for ML.

Sub-processors

Who else touches your data.

All listed are major vendors with their own SOC2/ISO posture.

Vendor	Purpose	Region
Neon	Postgres database	US East
Hostinger	Application hosting (VPS)	EU + US
Cloudflare	DNS, CDN, WAF, DDoS	Global edge
Stripe	Payments + billing	US (PCI-DSS L1)
Anthropic (Claude)	AI content + intent classification	US
DataForSEO	Keyword data + SERP	EU
Resend	Transactional email	US
Voyage AI	Embedding for help search	US

Incident response

If something goes wrong.

We're a small team, which means there is no security theater. If we detect or are notified of a data incident:

1. Within 1 hour — We investigate scope. Service may be paused if needed to limit blast radius.
2. Within 24 hours — Affected customers receive an email with what we know, what we don't, and what action they should take.
3. Within 72 hours — Public post-mortem on this page if any customer data was exposed. Per GDPR Art. 33, EU customers are notified within 72 hours regardless.
4. Ongoing — Status updates until resolved + a written root-cause analysis published.

Report a security issue: security@itzseo.com. We respond within 24 hours. Responsible disclosure: we won't pursue legal action against good-faith research.

FAQ

Trust questions.

Do you train AI models on my content?

No. Your articles, keyword lists, audit data, CRM records — none of it goes into model training. Claude calls go through Anthropic's API with their default no-training contract. We don't run our own ML on customer data.

What happens to my data if you go out of business?

We hold a small cash runway specifically for an orderly wind-down. If ItzSEO ever needs to shut down, we commit to 60 days of read-only access for you to export everything, plus we'll publish open-source export tools. Your content + customer relationships are yours, not held hostage.

Is my data hosted in the EU?

Application servers are in EU + US regions (Hostinger). Postgres (Neon) is US East. Cloudflare runs at the global edge. For EU customers under GDPR, we provide a DPA via hello@itzseo.com. If EU-only data residency is a hard requirement, contact us — we can discuss.

Are passwords hashed?

We don't store passwords. Authentication is OAuth (Google / GitHub) or email magic link. There's nothing to leak via a hashed-password breach because we don't have a password database.

Can I get a copy of your privacy policy?

Yes — full version at /privacy. Plain-English summary: we collect what you give us (email, content, keywords) + what's needed to run the service. We don't sell data. We don't share with ad networks. We comply with GDPR + CCPA deletion requests within 30 days.

Trust, not trust me.

Have a security question we didn't answer? security@itzseo.com

Start free trial Read privacy policy