Your data. Our watch.
every layer, every request.
Security isn't an afterthought — it's the same watchman discipline we put on your sitemap, pointed inward. Encryption at rest and transit, per-tenant KMS keys, passwordless auth, and infrastructure that takes its patches from AWS while we sleep.
Defense in depth.
one fails, the next one holds.
Six independent layers. Each one can catch a class of threat the others can't. We pick up security failures the same way we pick up SEO failures — before they ship.
Encryption everywhere
All data is encrypted in transit with TLS 1.3 and at rest with AES-256. CMS credentials and API keys are encrypted with per-tenant keys managed by AWS KMS.
Network isolation
Infrastructure runs in private VPC subnets with no public internet exposure. API traffic flows through API Gateway with WAF protection and rate limiting.
Access controls
Strict IAM policies enforce least-privilege access. All engineer access to production requires MFA and is logged for auditing. No developer has standing database access.
Serverless architecture
Built on AWS Lambda, DynamoDB, and S3. No persistent servers to patch. AWS manages OS updates, security patches, and infrastructure hardening.
Passwordless auth
Magic link authentication eliminates credential theft. JWT tokens are short-lived (1 hour) with automatic rotation. No passwords are ever stored.
Monitoring & alerting
Real-time CloudWatch monitoring. Automated alerts on anomalous activity, failed auth attempts, and API abuse. Incident response within 24 hours.
Specifics, not vague promises.
How we handle the data that actually matters to you — credentials, generated content, backups, and what happens when you leave.
- 01
CMS credentials are encrypted with per-tenant keys
When you connect a CMS platform, your API keys and OAuth tokens are encrypted using AWS KMS with per-tenant encryption keys. Even our engineers cannot access your raw credentials.
- 02
Generated content is stored in your isolated S3 namespace
Blog posts, images, and assets are stored in S3 with server-side encryption. Each project has an isolated key prefix. Content is served through CloudFront with signed URLs.
- 03
AI processing does not retain your data
Content sent to Google Gemini for generation is processed in real-time and not stored by the AI provider. We have a data processing agreement ensuring your content is not used for model training.
- 04
Account deletion permanently removes all data
When you delete your account, all personal data, project data, generated content, and CMS credentials are permanently removed within 30 days. This is irreversible.
- 05
Regular backups with encryption
DynamoDB tables are backed up daily with point-in-time recovery enabled. Backups are encrypted with the same AES-256 encryption as the live data.
Standards & certifications.
Formal attestations of the work that otherwise shows up only as "trust us." Active where we're signed off, in progress where we're mid-audit.
SOC 2 Type II
Annual audit of security controls, availability, and confidentiality practices by an independent auditor.
GDPR Compliant
Full compliance with the EU General Data Protection Regulation. Data processing agreements available on request.
AWS Well-Architected
Infrastructure follows AWS Well-Architected Framework best practices across all five pillars.
Found something?
we want to hear from you.
We pay attention to responsible security research. If you've found a vulnerability, tell us. We'll work with you on the timeline, credit you on the fix, and — for material findings — send a bounty.
PGP-signed encrypted reports welcome. Key fingerprint in our security.txt.
Initial acknowledgement. Full triage within 72 hours for critical-severity reports.