Security & Data Protection

Where your data lives, how it's protected, and what credentials we store. No vague promises, just the facts.

Where your data is stored

Everything runs on established, audited infrastructure. We don't run our own servers for data storage.

Database and backend

All application data (your sites, plans, reports, settings) is stored on Convex, a cloud-hosted backend platform. Convex runs on AWS infrastructure and handles database storage, real-time queries, and server-side logic.

Convex Cloud (AWS)

Authentication

We use Google OAuth for sign-in. We never see or store your Google password. Google handles the authentication flow, and we receive an identity token that confirms who you are.

Google OAuth 2.0

Frontend hosting

The web application is hosted on Netlify. It's a static site that talks to the Convex backend. No user data is stored on the frontend side.

Netlify CDN

Background jobs

Daily site improvements run on a Railway-hosted worker. The worker processes jobs and sends results back to Convex. It doesn't store any data locally.

Railway (stateless)

How credentials are protected

Every credential we store is encrypted before it hits the database. Here's what we store and how.

Credential What it does Storage
Google OAuth tokens Read your Search Console data, submit pages to Google's index AES-256-GCM encrypted
WordPress app password Push content changes to your WordPress site AES-256-GCM encrypted
WooCommerce API keys Access product data on WooCommerce stores AES-256-GCM encrypted
GitHub connection Push content changes to your GitHub repository OAuth via GitHub App (no token stored)

AES-256-GCM encryption

This is the same encryption standard used by banks and governments. Each credential gets its own random initialization vector (IV), so even identical passwords produce different encrypted values. The encryption key is stored as an environment variable, separate from the database.

Automatic token refresh

Google OAuth access tokens expire after one hour. We automatically refresh them using the stored (encrypted) refresh token. If refresh fails, we ask you to reconnect rather than failing silently.

Data isolation

Every piece of data is tied to the user who owns it. There are no shortcuts around this.

Identity comes from the server

Every request to our backend re-verifies your identity from the authentication session. We never trust a user ID passed from the browser. If the session is invalid, the request is rejected.

Ownership checks on every query

Before returning any data or allowing any change, the backend verifies you own the resource. Your sites, plans, reports, and settings are only accessible to you (and collaborators you explicitly invite).

No cross-user data access

Database queries always filter by the authenticated user first. There is no API endpoint that returns data across multiple users. Even our internal admin tools re-verify admin permissions on every request.

Collaborator access

You can add collaborators to your sites. They get read and limited write access, but they can't change billing, delete sites, or access your stored credentials. Access is revocable at any time.

What we access on your site

When you connect Scaup, here's exactly what we can and can't do.

Google Search Console

We can read: search queries, clicks, impressions, page performance, indexing status.
We can do: submit individual URLs for re-indexing.
We can't: delete your Search Console property, change settings, or access anything outside your verified sites.

WordPress

We can: read and update posts, pages, and their metadata (titles, descriptions, content).
We can't: install plugins, change themes, modify settings, access your admin panel, or do anything outside the WordPress REST API scope you granted.

GitHub

We can: read files, create branches, and open pull requests on the connected repository.
We can't: merge to your main branch without your approval, access other repositories, or modify repository settings.

Your site's content

We crawl your public pages to analyze content, the same way Google does. We don't access anything behind login walls, password-protected pages, or private areas unless they're part of your connected CMS.

AI and your data

We use AI (Anthropic's Claude) to analyze your content and write improvements. Here's what that means for your data.

What gets sent to the AI

Page content (text, headings, metadata), search performance data from Google Search Console, and competitor analysis data. This is the information Claude needs to write better content for your site.

What doesn't get sent

Your credentials, login tokens, personal information, email address, or any data from other users. The AI only sees the content it needs to do its job for that specific task.

Anthropic's data policy

We use Anthropic's API (not the consumer product). Per Anthropic's API terms, data sent through the API is not used to train their models and is not retained beyond the request processing window.

Worker and API security

How we protect communication between our systems.

Authenticated callbacks

The background worker communicates with our backend using a shared secret verified with timing-safe comparison. This prevents timing attacks that could guess the secret by measuring response times.

All traffic over HTTPS

Every connection between our systems (frontend to backend, worker to backend, backend to third-party APIs) uses TLS encryption in transit. No exceptions.

Stateless worker

The background worker doesn't store any data locally. It fetches what it needs, processes the job, sends results back to the database, and moves on. If the worker restarts, nothing is lost.

Environment-based secrets

All API keys, encryption keys, and service credentials are stored as environment variables in each platform's secret management (Convex, Railway, Netlify). Nothing is hardcoded or committed to source control.

Common security questions

Can Scaup break my site?

In preview mode (the default), every change goes through you before it touches your site. You see a before/after diff and approve or reject each one. For GitHub-connected sites, changes come as pull requests that you merge yourself. The worst case is a content change you don't like, and you can always undo.

What happens if I disconnect Scaup?

We stop accessing your site immediately. Your data stays in our database for 30 days (in case you reconnect), then it's deleted. Any changes already applied to your site stay as they are since they're now your content.

Can your team see my data?

Admin access is restricted to specific email addresses configured at the infrastructure level. Admins can see site metadata for support purposes (site URL, connection status, error states). We don't have a way to view your decrypted credentials since the decryption only happens during automated job execution.

Do you sell or share my data?

No. Your data is used only to run Scaup for your sites. We don't sell it, share it with other users, or use it for any purpose other than delivering the service you signed up for.

Where are you incorporated?

Scaup is a product of Seolift Ltd., an Israeli company. Data is processed on US-based infrastructure (AWS via Convex, Railway, and Netlify).

Do you have SOC 2 or other compliance certifications?

Not yet. We're an early-stage product. Our infrastructure providers (AWS, Convex, Railway, Netlify) maintain their own compliance certifications. As we grow, we'll pursue relevant certifications. We'd rather be honest about this than pretend.