SEMKit Logo

Security at SEMKit

Security and privacy are core to how we build SEMKit. We protect your data with encryption, compliance controls, and transparent practices.

Last updated: January 21, 2025 | Version 1.0.0

Privacy & Data Rights

SEMKit is fully GDPR compliant with comprehensive data protection and user rights management. We believe you should have complete control over your data.

Right to Access

Export all your data anytime in JSON, CSV, or ZIP format. Includes your profile, sites, keywords, content, and audit history.

Export your data →

Right to Deletion

Delete your account and all associated data with a 30-day grace period for recovery. We provide complete transparency about what data is deleted and what must be retained for legal compliance.

Request deletion →

Consent Management

Complete audit trail for all consent decisions. We track every cookie preference change with timestamps and IP addresses for transparency. Anonymous visitors can manage consent before creating an account.

Cookie Policy →

Policy Transparency

We version all legal policies (Privacy, Terms, Cookie Policy, DPA) and notify you of significant changes that require re-consent.

Data Protection

Encryption

We use industry-standard encryption to protect your data:

  • At rest: All sensitive data encrypted using AES-256-GCM encryption
  • In transit: HTTPS/TLS 1.3 encryption for all connections
  • Integration credentials: API keys and authentication tokens encrypted before storage
  • Key management: Encryption keys stored separately from application data

Data Minimization

We only collect and store data necessary for providing our services. User data is isolated and access is restricted to what's needed for each operation.

Authentication & Access

SEMKit uses secure authentication powered by industry-leading identity providers:

  • JWT-based authentication: Industry-standard token-based auth with automatic validation
  • Secure sessions: Automatic session management with expiration and rotation
  • Protected routes: All authenticated areas secured at the infrastructure level
  • Password security: Passwords hashed and never stored in plain text

Tip: Use a strong, unique password and consider enabling two-factor authentication (2FA) in your account settings for additional protection.

Payment Security

Your payment information is handled with the highest security standards:

  • PCI DSS compliance: Payment processing via Stripe, a PCI DSS Level 1 certified provider
  • No card storage: We never store or handle credit card information directly
  • Webhook verification: All payment webhooks use signature verification to ensure integrity
  • Secure checkout: All payment pages use HTTPS with extended validation

Stripe is trusted by millions of businesses worldwide and maintains the highest level of payment security certification.

API Security

Our API and integrations are built with security as a priority:

  • Authentication required: All API endpoints require valid authentication tokens
  • Signature verification: All webhook integrations verify cryptographic signatures
  • Input validation: All user-submitted data validated and sanitized
  • Usage limits: Tier-based limits prevent abuse and ensure fair resource allocation
  • Rate limiting: Protection against brute force and denial-of-service attempts

Infrastructure Security

SEMKit runs on enterprise-grade cloud infrastructure with multiple layers of security:

  • Cloud hosting: Enterprise-grade infrastructure with automatic scaling and redundancy
  • Automatic backups: Regular encrypted backups with disaster recovery procedures
  • Database isolation: Separate database environments for development, staging, and production
  • Network security: Firewalls, DDoS protection, and traffic filtering
  • Monitoring: Continuous security monitoring with automated threat detection

Third-Party Services

We carefully select security-conscious service providers:

  • Authentication: Industry-leading identity and access management
  • Payments: PCI DSS certified payment processor
  • Email: Secure transactional email service
  • AI Services: Enterprise AI providers with security certifications

All third-party API keys are stored as encrypted environment variables and never exposed in application code. We share only the minimum data necessary for each service to function.

Secure Development Practices

Security is built into our development process:

  • No secrets in code: All credentials stored as environment variables, never in source code
  • Dependency scanning: Automated scanning for known vulnerabilities in dependencies
  • Type safety: TypeScript prevents entire classes of runtime errors
  • Input validation: All forms and API inputs validated before processing
  • Production security: Console logging and debug features disabled in production
  • Code review: All code changes reviewed before deployment

Compliance

GDPR Compliant

Full compliance with the EU General Data Protection Regulation, including rights to access, deletion, portability, and comprehensive consent management.

PCI DSS (via Stripe)

Payment processing handled by Stripe, a PCI DSS Level 1 certified provider. We never store or process card data directly.

HTTPS/TLS 1.3

All connections encrypted with the latest TLS protocol version for maximum security.

Frequently Asked Questions

How is my data encrypted?

We use AES-256-GCM encryption for sensitive data at rest and TLS 1.3 for data in transit. Encryption keys are stored separately from application data and rotated regularly.

Where is my data stored?

Your data is stored on enterprise-grade cloud infrastructure with automatic backups and geographic redundancy. Data is isolated per environment and access is strictly controlled.

Can I export my data?

Yes, you can export all your data anytime from your account settings. We provide exports in JSON, CSV, and ZIP formats including your profile, sites, keywords, content, and audit history.

How do I delete my account?

You can request account deletion from your settings page. We provide a 30-day grace period for account recovery. After this period, all your data is permanently deleted, except what must be retained for legal or tax compliance.

Do you share my data with third parties?

We only share data with essential service providers (authentication, payments, email, etc.) and only the minimum necessary for those services to function. We never sell your data. See our Privacy Policy for complete details.

How do I enable two-factor authentication?

Two-factor authentication (2FA) can be enabled in your account settings for additional security. We recommend enabling 2FA for all accounts, especially if you manage sensitive business data.

What happens if there's a security breach?

In the unlikely event of a security incident, we will notify affected users within 72 hours as required by GDPR. We maintain an incident response plan and conduct post-incident analysis to prevent future occurrences.

Vulnerability Disclosure

We take security vulnerabilities seriously and appreciate the security community's help in keeping SEMKit secure.

Responsible Disclosure Process

  1. Report: Email security@semkit.com with details of the vulnerability. Please include steps to reproduce and potential impact.
  2. Acknowledge: We will acknowledge receipt within 48 hours.
  3. Investigate: We will investigate and keep you updated on our progress.
  4. Fix: We will work to resolve the issue promptly based on severity.
  5. Credit: With your permission, we will credit you for the discovery after the issue is resolved.

Please do not publicly disclose the vulnerability until we have had a chance to address it. We appreciate your patience and responsible disclosure.

Contact & Resources

Questions about our security practices? We're here to help.

Privacy PolicyTerms of ServiceCookie Policy

Our Commitment

Security and privacy are not features we add later—they're foundational to how we build SEMKit. We are committed to transparency, continuous improvement, and earning your trust every day.