Compliance

Rankability is committed to meeting the security and compliance standards that enterprise customers expect. We have implemented controls aligned with the SOC 2 Trust Service Criteria and maintain formal documentation for all security policies.

SOC 2

We have implemented controls across all five SOC 2 Trust Service Categories:

Security (Common Criteria)

  • Five-layer authentication system with fail-closed design
  • Database-backed admin access control with audit logging
  • AES-256-GCM encryption for OAuth tokens at rest
  • SHA-256 hashing for API key storage
  • Multi-layer rate limiting with automatic abuse detection
  • Content Security Policy and security headers in production
  • Multi-tenant data isolation with session-derived access control

Availability

  • Defined Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) for all system components
  • Automated database backups with point-in-time recovery
  • Documented disaster recovery procedures for seven specific scenarios
  • Graceful degradation for third-party service outages

Confidentiality

  • Four-tier data classification system (Restricted, Confidential, Internal, Public)
  • 20 automated data retention policies covering all data types
  • Secure disposal of OAuth tokens on integration disconnect
  • Revoked API keys purged after 90 days

Processing Integrity

  • Idempotent webhook processing prevents duplicate financial transactions
  • Atomic credit reserve-and-finalize billing flow
  • Content-hash gating prevents redundant AI processing
  • Job management with active locking ensures exactly-once processing

Privacy

  • Data minimization — no PII sent to SEO data providers
  • AI providers configured for zero data retention (opted out of training)
  • Defined data retention periods for every data type
  • Automated cleanup runs daily with audit trail

Formal Policies

We maintain the following documented security policies:

Policy Coverage
Information Security Policy Data classification, access control, encryption standards, acceptable use
Incident Response Plan Severity levels, response team roles, escalation matrix, communication templates
Change Management Policy Change categories, review requirements, testing procedures, rollback plans
Business Continuity & Disaster Recovery Plan RPO/RTO targets, backup procedures, recovery scenarios
Vendor Risk Register Third-party vendors with risk ratings, certifications, and review schedules

Requesting Our SOC 2 Report

Our SOC 2 report is available under NDA. Contact [email protected] to request a copy.

Audit Logging

All security-relevant events are logged and retained for 7 years:

  • Administrative actions (credit adjustments, data exports, user management)
  • Authentication events (logins, API key usage, OAuth connections)
  • Access control changes (admin list modifications)
  • Data retention cleanup runs

The audit log is available to platform administrators through the admin dashboard.

Continuous Improvement

We review our security controls and policies on a regular schedule:

  • Security policies reviewed annually
  • Vendor risk assessments per defined schedule (quarterly for critical vendors, annually for low-risk)
  • Incident response plan tested through tabletop exercises semi-annually
  • Disaster recovery procedures tested through restore drills monthly

For security inquiries or to request our SOC 2 report, contact [email protected]