RankTracker.By ShiftStack
Start free
RankTracker / Legal / Security● Live

Legal / Security

Security practices.

A summary of how RankTracker protects the data agencies and brands trust to us. For a deeper review under NDA, contact security@ranktracker.ca or visit the trust center.

Certifications

  • SOC 2 Type II, audited annually by an independent CPA firm.
  • ISO 27001-aligned Information Security Management System.
  • GDPR, UK GDPR, CCPA, and EU AI Act compliance program.
  • PCI-DSS handled by Stripe; we never store cardholder data.

Encryption

  • TLS 1.3 in transit on every endpoint. HSTS preload list enrolled.
  • AES-256 at rest for primary database, backups, and object storage.
  • OAuth refresh tokens (Google Search Console, etc.) encrypted with envelope encryption; per-customer data keys rotated annually.
  • Customer-managed encryption keys (CMEK / BYOK) available on the Enterprise tier via AWS KMS or GCP KMS.

Access control

  • Role-based access (owner, admin, member) with row-level security in the database.
  • Mandatory SSO for the Enterprise tier (SAML, Google Workspace, Microsoft Entra).
  • SCIM 2.0 user provisioning on Enterprise.
  • Mandatory hardware MFA for staff with production access; just-in-time elevation.
  • All production access audit-logged and reviewed monthly.

Infrastructure

  • Cloudflare edge + EU/US primary regions. UK residency on Scale, EU on Agency.
  • Infrastructure-as-code; all changes peer-reviewed and CI-tested before deploy.
  • Automated daily encrypted backups, 35-day retention, quarterly restore drills.
  • RPO 24h, RTO 4h for the primary region. Cross-region failover within 4h.

Application security

  • SSDLC: threat modeling, code review, automated SAST/DAST, dependency scanning, SBOM published per release.
  • CSP, SRI, frame-ancestors and Permissions-Policy hardened on every surface.
  • Annual third-party penetration test; summary letter available under NDA.
  • Continuous fuzzing on parser and ingestion endpoints.

AI supply chain

We treat LLM providers as security-critical sub-processors. Every LLM API used for Customer Personal Data runs under a zero-retention enterprise endpoint with no model training rights. Prompt injection and data exfiltration testing is part of our annual pentest scope. Model cards for each AI feature are published in the trust center.

Prompt injection

The scan corpus (raw LLM responses about your brand) is rendered as inert text in the dashboard. We strip executable HTML, sanitise links, and isolate scan content in a shadow DOM so a hostile response cannot pivot into a session-stealing payload.

Incident response

  • 24x7 paging for sev-1 incidents.
  • Customer notification within 72 hours for confirmed data incidents involving personal data.
  • Post-mortems published to status for any sev-1 with customer impact.
  • Tabletop exercises run quarterly with the executive team.

Vulnerability disclosure

We publish a security.txt at /.well-known/security.txt. Researchers can report vulnerabilities to security@ranktracker.ca with PGP if preferred. We respond within 24 hours, triage within 72 hours, and credit researchers in our hall of fame unless anonymity is requested. The bug bounty program (in-scope: production hosts; out-of-scope: rate limits and marketing site) is run on private invitation.

Sub-processor security

Every sub-processor in the DPA is vetted annually for SOC 2 or ISO 27001 attestation, GDPR compliance, breach history and AI training posture. Onboarding a new sub-processor requires sign-off from the security and legal teams.

Trust center

Live status, uptime history, sub-processor changes, SOC 2 reports (under NDA), pentest summaries and model cards are available at /status and via the trust center portal. Email security@ranktracker.ca for NDA-gated documents.