SurfRank is built for business-critical brand and content work. This page is the living source of truth for how we protect your data, who we share it with, and what certifications we're pursuing.
Data in transit
All traffic to and from SurfRank uses TLS 1.3 with modern cipher suites. HSTS is enforced on every subdomain.
Data at rest
Firestore encrypts everything at rest with AES-256. Sensitive secrets (API tokens, OAuth credentials) are additionally encrypted with per-tenant AES-256-GCM keys before being stored.
Authentication
Built on Firebase Auth. Passwords are never stored by us. API keys are hashed with SHA-256 before storage — we can revoke them but we cannot read them.
Infrastructure
Hosted on Hetzner (EU — Germany, and APAC — Singapore) with Cloudflare in front. Backups run daily. All code runs in audited, reproducible environments.
GDPR-aligned
EU hosting, data subject rights, and a public DPA (incorporating EU SCCs and UK IDTA) available at /dpa.
PDPA-aligned
Singapore Personal Data Protection Act compliance for Singapore-based customers.
SOC 2 Type II
Audit kick-off scheduled for mid-2026. Type II observation period typically runs 6–12 months; target report availability 2027.
ISO 27001
On our roadmap after SOC 2 Type II; timing depends on team size and customer demand.
We store
We don't store
We use the following third-party services to operate SurfRank. All subprocessors are contractually bound to equivalent security and privacy standards.
Report a vulnerability
Found a security issue? We appreciate responsible disclosure and acknowledge reporters in our hall of fame.
[email protected]