Security Overview

Protecting your data is not an afterthought at Rankability — it is built into every layer of the platform. From how we encrypt sensitive credentials to how we isolate your data from other customers, security is a core part of our architecture.

Encryption

Data in Transit

All data transmitted between your browser and Rankability is encrypted using TLS 1.2 or higher. This includes all API calls, OAuth flows, and webhook communications. There are no unencrypted endpoints.

Data at Rest

Sensitive data stored in our database is encrypted using industry-standard methods:

  • OAuth tokens (Google Search Console, Google Analytics, Google Business Profile, YouTube) are encrypted using AES-256-GCM with unique initialization vectors per token
  • API keys are stored as irreversible SHA-256 hashes — we never store plaintext API keys after initial generation
  • Database credentials and secrets are stored in platform-managed environment variables, never in source code

Cryptographic Standards

  • Timing-safe comparison for all token and secret validation, preventing timing-based attacks
  • Cryptographically secure random generation for all tokens, keys, and session identifiers
  • Dedicated signing secrets for OAuth state tokens — no reuse of database credentials for cryptographic purposes

Security Headers

In production, Rankability enforces strict security headers:

  • Content Security Policy (CSP) — Restricts which scripts, styles, and resources can load
  • HTTP Strict Transport Security (HSTS) — Forces HTTPS connections
  • X-Frame-Options — Prevents clickjacking attacks
  • X-Content-Type-Options — Prevents MIME type sniffing

Error Handling

Production error messages are sanitized to prevent information leakage. Stack traces, file paths, database queries, and connection strings are never exposed to end users.

Monitoring & Detection

  • Structured logging captures security-relevant events with contextual metadata
  • All administrative actions are recorded in an immutable audit trail
  • API usage is tracked per key with automatic abuse detection
  • Compromised or misbehaving API keys are automatically suspended when abuse patterns are detected

Rate Limiting

Multi-layer rate limiting protects the platform and your account:

  • Per-user limits prevent individual account abuse
  • Per-project limits protect against runaway automation
  • Per-organization limits ensure fair resource allocation
  • Daily AI spend caps prevent unexpected cost overruns
  • Distributed-cache-backed with automatic in-memory fallback if the cache layer is unavailable (stricter limits apply during fallback)

Vulnerability Management

  • Dependencies are monitored for known vulnerabilities
  • Security-sensitive code changes require additional review and sign-off
  • We follow responsible disclosure practices — contact [email protected] to report vulnerabilities

For security inquiries or to request our SOC 2 report, contact [email protected]