AgentsPricingContact
Log in

Legal

Security

Last updated: March 21, 2026

Infrastructure

RankControl is built on a secure, modern infrastructure:

  • Application hosting: Hetzner VPS with Docker containerization and Caddy reverse proxy with automatic TLS
  • Database: Convex — fully managed with built-in encryption at rest, automatic backups, and ACID transactions
  • Content delivery: articles are delivered to your CMS over HTTPS — they are hosted and served by your own site

Data Protection

  • Encryption in transit: all connections use TLS 1.2+ (HTTPS everywhere)
  • Encryption at rest: database and file storage are encrypted at rest
  • API key security: all API keys and secrets are stored as environment variables, never in source code
  • Access control: role-based access with separate admin and user permission levels

Authentication

  • Auth system: Convex Auth with secure session management
  • API authentication: API keys with rate limiting per organization
  • Admin access: separate admin authentication with audit logging for all administrative actions

AI Provider Security

When generating content, we send data to AI providers (Anthropic Claude, OpenAI GPT-4):

  • We send only brand context, topic information, and content instructions — never personal user data or credentials
  • All API calls are made server-side with encrypted connections
  • AI providers do not use your data to train their models (per their enterprise API terms)

Publishing Integration Security

Articles are published to your CMS through authenticated integrations:

  • The WordPress plugin authenticates with a unique, randomly generated integration key and pulls deliveries outbound over HTTPS — no inbound access to your site is required
  • CMS API credentials (WordPress application passwords, Webflow tokens) are used only to publish articles you approved
  • Webhook deliveries are signed with HMAC-SHA256 so your endpoint can verify authenticity
  • Integration keys and credentials can be revoked at any time by removing the integration

Lead Data Security

  • Lead data is stored in Convex with organization-level isolation
  • Spam filtering runs automatically to block bot submissions
  • Rate limiting prevents abuse of lead capture forms
  • Webhook deliveries use HTTPS with retry logic

Monitoring and Incident Response

  • Uptime monitoring: continuous health checks on all services
  • Audit logging: all admin actions are logged with timestamps and user attribution
  • Error tracking: real-time alerting for application errors and anomalies
  • Incident response: documented procedures for security incidents with notification within 72 hours

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. Contact us at [email protected]. We ask that you:

  • Do not publicly disclose the vulnerability before we've addressed it
  • Provide sufficient detail for us to reproduce and fix the issue
  • Do not access or modify other users' data

We commit to acknowledging receipt within 48 hours and providing a timeline for resolution.

Contact

For security questions or concerns, contact us at [email protected].