Security

How CSEO protects your credentials, isolates workspaces, and records what happens.

AES-256-GCM encrypted secrets

Every provider API key you connect (Anthropic, Semrush, Ahrefs, Moz, DataForSEO, Otterly, Meta, Google) is encrypted at rest using AES-256-GCM. The master key derives from a per-deployment secret. Decryption happens in-process; plain-text never lands in logs, backups, or the database.

Strict tenant isolation

Every Mongo collection that holds user data is keyed on `workspaceId`. Reads are scoped at the action layer via `authorizeApiRequest` — there is no admin escape hatch in app code that crosses tenant boundaries.

OAuth tokens stay in your account

Google Search Console, Google Analytics, and Meta Ads use OAuth refresh tokens. The tokens authorize access to your account only; revoke at any time in the provider's settings and CSEO loses access immediately.

Audit log of every state change

Member adds, role changes, credential saves, brief publishes, workspace deletes — all recorded with actor + timestamp + metadata. Surfaced in /app/settings/audit for compliance-grade traceability.

No content-mining for training

We do not use your workspace content (briefs, drafts, snapshots) to train any model. AI-generated outputs run through your own Anthropic key, billed to your Anthropic account, on Anthropic's infrastructure.

Strict CSP + nonce

Every response carries a per-request CSP nonce. Inline scripts are nonce-gated; third-party scripts can't execute unless explicitly allow-listed in next.config.ts.

Reporting a vulnerability

We treat security reports as the highest-priority incidents. If you've found a vulnerability, email security@cseo.app with a description, reproduction steps, and your contact info. We acknowledge within 24 hours, triage within 72, and credit reporters by name (with their consent) in the post-incident writeup.