Security & compliance
We treat your data the way we’d want ours treated. Encrypted, isolated, exportable, deletable — and never sold.
Compliance & certifications
We meet the standards that matter — and we’re transparent about what’s still in progress.
GDPR
Full compliance with EU General Data Protection Regulation. Export & delete your data anytime.
CCPA
California Consumer Privacy Act compliant. We never sell your personal data.
PCI DSS
Payments handled by Stripe (PCI DSS Level 1). We never see or store your card number.
SOC 2 Type II
In progressEvidence collection via Vanta starting 2026. Independent audit planned for 2027. We already follow the controls today.
Data protection & privacy
Complete transparency on what we collect, store, and how we use it.
What data we collect
- Email, name (account creation)
- Project data you create: sites, keywords, audits, content
- Usage analytics (which modules you use, anonymized)
- Payment metadata via Stripe (country, last-4, status)
What we NEVER collect
- Your Google / Search Console password
- Your full credit card number (Stripe-only)
- Visitors of your audited sites — only the public URLs
- Anything you didn’t explicitly enter or paste
How we use your data
- Provide the core service (audits, AI fixes, tracking, content)
- Improve Outerank via anonymized usage patterns
- Customer support and troubleshooting
- Legal compliance, fraud prevention, abuse detection
Who we share with
- Anthropic (Claude API) — generates audit fixes, content, outreach
- Resend — transactional email delivery
- Cloudflare — DNS, CDN, DDoS, email routing
- Stripe — payment processing (PCI DSS). Nobody else. We don’t sell data.
Security built-in, not bolted-on
Architected into every layer — from your password to your database row.
AES-256 + TLS 1.3
All data encrypted in transit (TLS 1.3) and at rest. Sensitive fields like API tokens use AES-256.
Bcrypt password hashing
Passwords are hashed with bcrypt (cost factor 12). We never see your plaintext password — not even in support.
JWT short-lived sessions
Access tokens expire fast; refresh tokens rotate. Logout invalidates instantly. Optional “remember me” keeps you signed in 30 days.
Multi-tenant isolation
Every record is scoped to your account at the query level. You can only see your projects, audits, and exports — enforced server-side.
IP & user-agent logging
Every login, password reset, and admin action is logged with IP, user-agent, and timestamp. Suspicious activity gets flagged for review.
Full data export & delete
Download every audit, keyword, ranking, article, and chat as CSV / Markdown anytime. One-click delete wipes everything within 30 days.
Least-privilege access
Only the founder has production database access, behind 2FA. No support agent, contractor, or third party can read your project data.
Cloudflare DDoS + WAF
Cloudflare protects every request: DDoS mitigation, bot detection, rate-limiting, WAF rules against OWASP top-10 attacks.
Sentry error monitoring
Every exception in production is captured in real time with stack trace, user context, and request payload — so bugs get fixed before you see them.
Vanta continuous monitoring
Vanta watches our infrastructure 24/7 — failed backups, missing 2FA, expired certs, exposed buckets — and pages us within minutes.
Responsible disclosure
Found a vulnerability? Email security@outerank.com. We respond within 48 hours, credit the reporter publicly, and pay bounties for valid findings.
What we’re honest about
Lots of SaaS pages claim certifications they’ve never actually been audited for. We won’t.
- SOC 2 Type II: not yet audited — planned 2027. We already follow the controls (encryption, logging, access reviews).
- Bug bounty: if you find a vulnerability, email security@outerank.com. We respond within 48 hours, credit responsible disclosures publicly, and pay bounties for valid findings.
- Incident notification: if we ever have a breach affecting your data, you’ll get an email within 72 hours (GDPR requirement).
Responsible disclosure
Found a vulnerability? Tell us privately. We respond in 48 hours, credit you publicly, and pay bounties for valid findings.
How to report
- Email security@outerank.com with a clear description (what, where, why it matters)
- Steps to reproduce — a minimal proof-of-concept is enough
- Impact assessment (data at risk, who's affected)
- Your name + a URL we can credit you with (optional)
Our commitments
- 48 hours — initial response acknowledging receipt
- 7 days — triage decision (accepted / needs info / out of scope)
- 30 days — fix deployed for high & critical issues
- Public credit after the fix ships, unless you ask to stay anonymous
In scope
- outerank.com and all subdomains + the public API
- Account takeover, auth bypass, privilege escalation
- Injection (SQL/NoSQL), RCE, SSRF, XXE
- Stored/reflected XSS with real impact, IDOR, sensitive-data exposure
Out of scope
- DoS / volumetric attacks (Cloudflare handles these)
- Self-XSS requiring devtools paste; missing headers with no exploit
- Automated-scanner reports without manual verification
- Third-party service issues (report to Anthropic/Cloudflare/Stripe directly)
Bug bounty (indicative)
- • Critical (RCE, mass data leak, auth bypass for all users): $500–$2,000
- • High (account takeover, single-tenant data leak): $200–$500
- • Medium (stored XSS, limited IDOR): $50–$200
- • Low (rate-limit bypass, low-impact info disclosure): credit only
Safe harbour: act in good faith — only test your own accounts, don't access others' data, don't degrade the service, and give us reasonable time to fix before public disclosure — and Outerank will never pursue legal action. We treat researchers as collaborators.
Security questions? Need a DPA?
Email security@outerank.com for a Data Processing Agreement, sub-processor list, penetration-test summary, or anything else your security team needs.