Security & Data Trust

Enterprise and agency clients need to know their data is safe before adding client sites. Here's exactly how we protect it.

TLS 1.3

All data in transit

AES-256

Data at rest

GDPR Ready

EU data residency option

SOC 2

In progress, 2026

Encryption

Data in transit: All connections between your browser, our servers, and third-party APIs use TLS 1.3. We enforce HSTS and reject older TLS versions.

Data at rest: The PostgreSQL database is encrypted at rest using AES-256. Cloud Storage buckets (logos, assets) are encrypted using Google-managed encryption keys.

Passwords: User passwords are hashed with bcrypt (cost factor 12). We never store plaintext credentials.

API keys: GSC tokens and third-party API credentials are stored encrypted in environment variables, never in the database.

Your Data Is Never Used to Train AI Models

Explicit statement: Audit results, keyword data, site content, AEO reports, and any data you or your clients input into OptiAISEO is never used to train, fine-tune, or evaluate any AI or machine learning model — ours or any third party's.

AI inference calls we make to Google Gemini, Anthropic Claude, and OpenAI are made using paid API plans that exclude training data rights per their respective API terms of service. We do not use free tiers for production inference.

Data Retention Policy

Data Type	Retention Period
Audit results (issue lists, scores)	24 months
Metric snapshots (historical trends)	36 months
Generated blog content	Until manually deleted
AEO reports	12 months
Voice session transcripts	90 days
Activity logs / access logs	90 days
Billing records	7 years (legal requirement)

Account & Data Deletion

When you close your account:

All site data, audit results, keyword history, and AEO reports are deleted within 30 days
Generated blog content is permanently deleted immediately
GitHub integration tokens are revoked within 24 hours
GSC OAuth tokens are revoked and removed from our systems immediately
Billing records are retained for 7 years to meet legal requirements
Anonymised, aggregated benchmark statistics (no PII) may be retained indefinitely

To delete your account, go to Dashboard → Settings → Delete Account.

GDPR & Data Residency

Data controller: OptiAISEO Ltd (or its operating entity) is the data controller for all personal data processed through the platform.

Primary region: Data is processed and stored in us-central1 (Iowa, USA) by default on Google Cloud.

EU data residency: Agency plan customers can request EU-region processing (europe-west1 — Belgium). Contact support to activate.

GDPR rights: EU users have the right to access, rectify, export, and delete their data. Submit requests to privacy@aiseo.ai.

Sub-processors: Google Cloud (infrastructure), Google AI (inference), Anthropic (inference), OpenAI (inference), Stripe (billing), Resend (email). Full list available on request.

SOC 2 Roadmap

We are actively working toward SOC 2 Type I certification, expected Q3 2026, with Type II audit readiness by Q1 2027.

Access control policy implemented (role-based, MFA enforced for admin)

Encryption at rest and in transit verified

Audit logging for all data access events

Vendor risk assessment program (Q2 2026)

Penetration test by third-party auditor (Q2 2026)

SOC 2 Type I audit (Q3 2026)

Note for agency clients: We strongly recommend rotating all third-party integration credentials (GSC, Ahrefs, Stripe) before onboarding client data. Contact support for a security onboarding checklist.

Have a security question?

Our team responds to security inquiries within 1 business day.

Contact Security Team