Security & Data Protection Practices
Last updated: June 17, 2026
Overview: Semly Pro implements industry-standard security measures to protect your data. This page describes our security architecture, compliance certifications, and incident response procedures.
1. Infrastructure Security
1.1 Cloud Infrastructure
Our infrastructure is built on enterprise-grade cloud platforms with industry-leading security certifications:
- Hosting: Vercel (SOC 2 Type II certified)
- Database: Supabase PostgreSQL on AWS (SOC 2, ISO 27001)
- Caching: Upstash Redis (ISO 27001)
- Primary Region: ap-south-1 (Mumbai, India) with multi-region failover
1.2 Network Security
- TLS 1.3: All connections use TLS 1.3 with perfect forward secrecy
- HTTPS-only: No unencrypted HTTP connections accepted
- HSTS: HTTP Strict Transport Security headers enforce HTTPS
- DDoS protection: Cloudflare-grade DDoS mitigation at edge
- Rate limiting: API rate limits prevent abuse (per IP and per user)
1.3 Edge Network
Static assets and serverless functions are distributed globally via Vercel Edge Network for:
- Low latency (content served from nearest edge location)
- DDoS resilience (distributed attack surface)
- Traffic encryption at edge
2. Data Encryption
2.1 Encryption at Rest
- Database: AES-256 encryption for all PostgreSQL data at rest (Supabase managed)
- Sensitive credentials: AES-256-GCM encryption for CMS tokens and API keys
- Unique encryption keys per environment
- Key rotation support with dual-key decryption
- Keys stored in Vercel environment variables (encrypted at platform level)
- Backups: Encrypted backups stored in separate AWS region
2.2 Encryption in Transit
- Client to server: TLS 1.3 with strong cipher suites only
- Server to database: Encrypted PostgreSQL connections
- Server to sub-processors: HTTPS/TLS for all third-party API calls
2.3 Key Management
- Encryption keys generated with cryptographically secure random number generators
- Keys stored separately from encrypted data
- Key rotation procedures documented and tested quarterly
- No plaintext keys in code, logs, or version control
3. Application Security
3.1 Authentication
- Password hashing: Argon2id (winner of Password Hashing Competition)
- Memory-hard to resist GPU/ASIC attacks
- Configurable cost parameters (currently: 64MB memory, 3 iterations)
- Session management: JWT-based sessions with:
- HttpOnly cookies (not accessible to JavaScript)
- Secure flag (HTTPS-only)
- SameSite=Lax (CSRF protection)
- 7-day expiration (auto-refresh on activity)
- Multi-factor authentication: TOTP-based 2FA support (optional)
- Failed login protection: Rate limiting after 5 failed attempts (15-minute lockout)
3.2 Authorization and Access Control
- Role-based access control (RBAC): Owner, Admin, Member, Read-only roles
- Organization isolation: Data scoped per organization; no cross-org access
- Least privilege: Users granted minimum permissions needed
- Team member management: Owners can add/remove members and change roles
3.3 Input Validation
- Zod schema validation: All API inputs validated against TypeScript schemas
- SQL injection prevention: Parameterized queries via Drizzle ORM (no raw SQL with user input)
- XSS prevention: Content Security Policy headers, HTML sanitization (DOMPurify)
- CSRF protection: SameSite cookies + CSRF tokens for state-changing operations
3.4 Secrets Management
- API keys, database credentials, and encryption keys stored in Vercel environment variables
- No secrets in source code or version control
- Separate secrets per environment (dev, staging, production)
- Secret rotation procedures for compromised credentials
4. Security Monitoring
4.1 Error Tracking
- Sentry: Real-time error tracking and alerting
- PII scrubbing (passwords, tokens, emails redacted from error logs)
- Source maps for production debugging
- Slack alerts for critical errors
4.2 Security Logs
- Axiom: Centralized security logging
- Authentication events (logins, logouts, failed attempts)
- Authorization failures (access denied events)
- Sensitive operations (password changes, role changes, data exports)
- Retention: 1 year
4.3 Anomaly Detection
- Automated detection of suspicious patterns:
- Unusual login locations or devices
- Rapid-fire API requests (potential abuse)
- Mass data exports
- Privilege escalation attempts
5. Incident Response
5.1 Security Incident Procedure
In the event of a security incident:
- Detection: Automated alerts or user reports trigger incident response
- Containment (1 hour): Isolate affected systems, revoke compromised credentials
- Investigation (24 hours): Determine scope, root cause, and impact
- Notification (72 hours): Notify affected users and supervisory authorities per GDPR Article 33
- Remediation (7 days): Patch vulnerabilities, restore from backups if needed
- Post-mortem (14 days): Document incident, update procedures, implement preventive measures
5.2 Data Breach Notification
If a data breach affects personal data, we will:
- Users: Notify affected users within 72 hours by email
- Supervisory authority: Notify Autoriteit Persoonsgegevens (Dutch DPA) within 72 hours
- Information provided:
- Nature of the breach
- Categories and approximate number of affected data subjects
- Likely consequences
- Measures taken to address the breach
- Contact point for more information
5.3 Reporting Security Issues
If you discover a security vulnerability, please report it responsibly to security@semlypro.com. We request:
- Do not exploit the vulnerability beyond minimal testing
- Do not access, modify, or delete other users' data
- Give us reasonable time to fix the issue before public disclosure
We will respond within 48 hours and provide a fix timeline. We do not currently offer a bug bounty program but will acknowledge security researchers who report issues responsibly.
6. Compliance and Certifications
6.1 Data Protection Compliance
- GDPR: EU General Data Protection Regulation compliance
- Data Processing Agreement with EU SCCs Module 2
- UK IDTA A1.0 for UK transfers
- Privacy by Design principles
- Data subject rights support (access, erasure, portability)
- CCPA: California Consumer Privacy Act compliance
- Right to know, delete, opt-out
- Global Privacy Control (GPC) honored
- We do not sell personal information
- ePrivacy Directive: Cookie consent management, Consent Mode v2
6.2 Infrastructure Certifications
Our sub-processors maintain:
- SOC 2 Type II: Vercel, Supabase, Sentry, Axiom, Stripe, Resend, FingerprintJS, Svix, Inngest
- ISO 27001: Supabase, Upstash, Microsoft (Azure), Google Cloud
- PCI DSS Level 1: Stripe, Razorpay (payment processing)
- EU-US Data Privacy Framework: Google, Microsoft
See our Sub-processors List for certification links.
6.3 Industry Standards
We follow security best practices from:
- OWASP Top 10 (web application security)
- CIS Controls (security configuration)
- NIST Cybersecurity Framework
7. Operational Security
7.1 Employee Access
- Least privilege: Employees granted minimum access needed
- MFA required: All employees must use 2FA for production access
- Access reviews: Quarterly reviews of employee permissions
- Offboarding: Immediate revocation of access when employees leave
7.2 Development Security
- Code review: All production code reviewed by second engineer
- Dependency scanning: Automated vulnerability scans via Dependabot
- Secret scanning: GitHub Advanced Security scans for leaked secrets
- Branch protection: Main branch requires PR approvals, passing tests
7.3 Testing
- Unit tests: Core business logic covered
- Integration tests: API endpoints tested with Jest
- E2E tests: Critical user flows tested with Playwright
- Security testing: Periodic penetration testing (annually or after major releases)
8. Data Retention and Deletion
8.1 Retention Periods
- Account data: Duration of subscription + 90 days
- SEO workspace data: Until you delete it or your account is deleted
- Logs: Application logs 90 days, security logs 1 year
- Backups: 90 days (encrypted, separate region)
See our Privacy Policy Section 7 for full retention details.
8.2 Secure Deletion
When you delete data:
- Soft delete (30 days): Data marked deleted but recoverable
- Hard delete (after 30 days): Permanent deletion from production databases
- Backup purge (90 days): Deletion from backup snapshots
- Cryptographic erasure: Encryption keys destroyed (renders encrypted data irrecoverable)
9. Business Continuity
9.1 Backups
- Frequency: Automated daily backups
- Retention: 90 days
- Encryption: AES-256 encrypted backups
- Geo-redundancy: Backups stored in separate AWS region
- Testing: Quarterly restore tests
9.2 Disaster Recovery
- RTO (Recovery Time Objective): 4 hours
- RPO (Recovery Point Objective): 24 hours (daily backups)
- Failover: Automated database failover to standby replica
- Runbooks: Documented procedures for common failure scenarios
9.3 Uptime Monitoring
- Target: 99.9% uptime
- Monitoring: Automated health checks every 60 seconds
- Alerting: PagerDuty alerts for downtime (5-minute threshold)
- Status page: status.semlypro.com (incident updates)
10. Third-Party Security
10.1 Sub-processor Due Diligence
Before engaging a sub-processor, we verify:
- SOC 2 Type II or ISO 27001 certification
- GDPR compliance (DPA with EU SCCs or adequacy decision)
- Appropriate technical and organizational measures
- Incident response and breach notification procedures
10.2 Sub-processor Monitoring
- Annual recertification reviews
- Monitoring security advisories and CVEs
- Evaluating breach notifications from sub-processors
- 30-day advance notice before adding new sub-processors
11. Security Roadmap
11.1 Planned Improvements (Q3-Q4 2026)
- Bug bounty program: Public vulnerability disclosure program with rewards
- Advanced threat detection: ML-based anomaly detection
- Hardware security keys: FIDO2/WebAuthn support for 2FA
- Audit logs: User-accessible audit logs for compliance
- SAML/SSO: Enterprise single sign-on support
12. Contact Security Team
Semly Pro Security Team
Vulnerability reports: security@semlypro.com
Data breaches: privacy@semlypro.com
Response time: Within 48 hours
Related legal documents:
Privacy Policy | Data Processing Agreement | Sub-processors List | Terms of Service