Legal
Security
Last updated: March 21, 2026
Infrastructure
RankControl is built on a secure, modern infrastructure:
- Application hosting: Hetzner VPS with Docker containerization and Caddy reverse proxy with automatic TLS
- Database: Convex — fully managed with built-in encryption at rest, automatic backups, and ACID transactions
- Content delivery: articles are delivered to your CMS over HTTPS — they are hosted and served by your own site
Data Protection
- Encryption in transit: all connections use TLS 1.2+ (HTTPS everywhere)
- Encryption at rest: database and file storage are encrypted at rest
- API key security: all API keys and secrets are stored as environment variables, never in source code
- Access control: role-based access with separate admin and user permission levels
Authentication
- Auth system: Convex Auth with secure session management
- API authentication: API keys with rate limiting per organization
- Admin access: separate admin authentication with audit logging for all administrative actions
AI Provider Security
When generating content, we send data to AI providers (Anthropic Claude, OpenAI GPT-4):
- We send only brand context, topic information, and content instructions — never personal user data or credentials
- All API calls are made server-side with encrypted connections
- AI providers do not use your data to train their models (per their enterprise API terms)
Publishing Integration Security
Articles are published to your CMS through authenticated integrations:
- The WordPress plugin authenticates with a unique, randomly generated integration key and pulls deliveries outbound over HTTPS — no inbound access to your site is required
- CMS API credentials (WordPress application passwords, Webflow tokens) are used only to publish articles you approved
- Webhook deliveries are signed with HMAC-SHA256 so your endpoint can verify authenticity
- Integration keys and credentials can be revoked at any time by removing the integration
Lead Data Security
- Lead data is stored in Convex with organization-level isolation
- Spam filtering runs automatically to block bot submissions
- Rate limiting prevents abuse of lead capture forms
- Webhook deliveries use HTTPS with retry logic
Monitoring and Incident Response
- Uptime monitoring: continuous health checks on all services
- Audit logging: all admin actions are logged with timestamps and user attribution
- Error tracking: real-time alerting for application errors and anomalies
- Incident response: documented procedures for security incidents with notification within 72 hours
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly. Contact us at [email protected]. We ask that you:
- Do not publicly disclose the vulnerability before we've addressed it
- Provide sufficient detail for us to reproduce and fix the issue
- Do not access or modify other users' data
We commit to acknowledging receipt within 48 hours and providing a timeline for resolution.
Contact
For security questions or concerns, contact us at [email protected].