Security Practices
How SEOscar protects your data at every layer of the platform with defense-in-depth security.
At SEOscar, security is fundamental to how we build and operate our platform. As an SEO analysis service that handles user credentials and third-party API keys, we take a defense-in-depth approach to protecting your data at every layer.
1Authentication
Password Security
- Passwords are stored using a strong, one-way hashing algorithm with per-password salting. Never stored in plaintext.
- Minimum password length enforced at registration and reset.
- Password reset tokens are single-use and expire within a short time window.
OAuth Single Sign-On
- Sign-in via Google and GitHub using industry-standard OAuth 2.0 flows.
- OAuth tokens used only for identity verification and session maintenance.
- Only minimum scopes requested (basic profile: email, name, avatar).
Session Management
- Sessions managed using signed, HTTP-only cookies not accessible to client-side JavaScript.
- Cookies flagged as Secure in production (HTTPS only).
- Sessions have a defined maximum lifetime and are periodically refreshed.
Multi-Factor Authentication
OAuth-based sign-in inherits any MFA configured on your Google or GitHub account.
2API Key Protection (BYOK)
SEOscar operates on a Bring Your Own Key model for third-party API integrations.
Encryption at Rest
- All user-provided API keys encrypted at rest using industry-standard authenticated encryption.
- Each encrypted value includes an integrity check to detect tampering.
- Encryption keys derived from server-side secrets never exposed to client code or version control.
Access Controls
- Keys decrypted only at the moment of use, for the specific API call being made.
- Keys scoped to individual user accounts and never shared across users.
- Users can update or delete stored keys at any time.
Fallback Behavior
When you don't provide your own keys, certain features use server-managed keys. Your data passes through our servers but is not retained beyond the API call.
3Data Encryption
In Transit
- All connections between users and SEOscar encrypted using HTTPS/TLS.
- Database connections use TLS encryption.
- Cache and message queue connections use TLS encryption.
- All outbound API calls to third-party services made over HTTPS.
At Rest
- User-provided API keys encrypted using authenticated encryption.
- Passwords irreversibly hashed.
- Database backups encrypted by our database provider (Neon).
4Infrastructure Security
Hosting and Providers
| Component | Provider | Security Highlights |
|---|---|---|
| Web Application | Vercel | Automatic HTTPS, DDoS protection, edge network |
| Background Workers | Railway | Isolated containers, encrypted networking |
| Database | Neon | Managed PostgreSQL, TLS, encrypted backups, SOC 2 |
| Cache & Queues | Upstash | Serverless Redis, TLS, encryption at rest |
| File Storage | Cloudflare R2 | S3-compatible, access key authentication |
| Resend | TLS-encrypted email delivery |
Environment Management
- All secrets stored as environment variables, never hardcoded or committed to version control.
- Production, staging, and development use separate credentials.
- Access to production infrastructure restricted to authorized personnel.
5Application Security
Access Control
- Authentication enforcement — all API endpoints and protected pages require valid authentication.
- Role-based access control — organization members assigned roles (Owner, Admin, Member, Viewer) with granular permissions.
- Data isolation — every query scoped to the authenticated user's ID or organization membership.
- Admin separation — administrative functions protected by additional authorization checks.
Input Validation
- URL validation — validated for format and protocol. Private/internal IPs blocked to prevent SSRF.
- Role validation — role assignments validated against an allowed list.
- Request size limits — enforced at infrastructure level.
Plan-Based Usage Limits
API usage enforced per billing period. Requests exceeding limits are rejected with appropriate error responses.
6Webhook Security
Outbound Webhooks (Your Endpoints)
- Every webhook endpoint assigned a unique cryptographic secret.
- All payloads signed for verification that they originated from SEOscar.
- Defined timeout and automatic retry with exponential backoff.
Inbound Webhooks (Payment Provider)
Inbound webhooks from Stripe are verified using stripe.webhooks.constructEvent with HMAC-SHA256 signature validation and timing-safe comparison to prevent timing attacks.
7Token Management
| Token Type | Properties |
|---|---|
| Email Verification | Single-use, short-lived, cryptographically random |
| Password Reset | Single-use, short-lived, cryptographically random |
| Session | Signed, HTTP-only, secure-flagged, defined max lifetime |
- Previous tokens invalidated when a new token is issued.
- Expired tokens rejected at validation time.
- Tokens generated using a cryptographically secure random number generator.
8Data Isolation and Multi-Tenancy
User-Level Isolation
- Every data record associated with a specific user ID.
- All queries include user-scoping conditions.
- Cascading deletion ensures complete data removal on account deletion.
Organization-Level Isolation
- Defined membership with explicit role assignments.
- Data shared only with verified organization members.
- Invitations are token-based with expiration and single-use acceptance.
Board and Project Isolation
Kanban boards enforce ownership and membership checks. Board-level permissions are separate from organization-level permissions for fine-grained access control.
9Operational Security
Monitoring
- Application errors and exceptions tracked and monitored.
- Failed authentication attempts logged for security analysis.
- Webhook delivery success/failure rates tracked per endpoint.
Dependency Management
Dependencies regularly reviewed and updated. We use established, well-maintained libraries for security-critical functions.
Incident Response
If we become aware of a security breach affecting your data, we will:
- Investigate and contain the incident promptly.
- Notify affected users via email within 72 hours of confirmed breach.
- Provide clear information about affected data and recommended steps.
- Implement corrective measures to prevent recurrence.
10What We Do NOT Do
- We do not access or read your stored API keys except at the moment they are needed for an API call you initiate.
- We do not use your analysis data for training AI models or sharing with third parties.
- We do not sell, rent, or trade any user data.
- We do not use third-party analytics or advertising trackers.
- We do not store your payment card information.
11Your Responsibilities
Security is a shared responsibility. We recommend:
- Use a strong, unique password or sign in via OAuth with MFA enabled.
- Keep your API keys confidential. Never share them or expose them in client-side code.
- Secure your webhook endpoints. Always verify the signature header before processing payloads.
- Review your team members. Periodically audit organization members and roles.
- Report suspicious activity. Contact us immediately if you notice unauthorized access.
12Reporting Security Issues
If you discover a security vulnerability, we encourage responsible disclosure:
SEOscarEmail: office@asarum-tech.com
Include "Security Vulnerability Report" in your subject line. Please provide a description, steps to reproduce, potential impact, and any suggested remediation.
We will acknowledge your report within 48 hours and work to address confirmed vulnerabilities promptly. We ask for reasonable time to investigate before any public disclosure.
13Compliance
- GDPR — data access, portability, rectification, and erasure rights for EU users.
- CCPA — right to know, delete, and opt out for California residents. We do not sell personal information.
- Data Processing — all third-party providers maintain their own security certifications.
14Changes to This Document
We review and update this security document as our practices evolve. Material changes will be reflected in the "Last Updated" date above.