Skip to main content

Information Security Notice

Updated: January 2025

Security Approach

Siteimprove designs, maintains and implements technical and organizational measures to protect the data provided by Customers. These measures address accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Siteimprove adopts a risk-based approach to Information Security. Risk identification and assessment support the management of security risks to an acceptable level. Siteimprove continuously reviews and improves its security measures to provide appropriate safeguards for protection of data. Siteimprove strives to improve the quality, reliability, and security of its work and services.

Siteimprove earned its ISO 27001:2022 certification in March 2024. Certificate can be provided upon request.

Processing Locations

Processing of data will not be performed at other locations (than specified in the table below) without Siteimprove’s prior written notification:

EMEA based customers
Siteimprove A/S Copenhagen, Denmark Applicable to all services
Amazon Web Services Frankfurt, Germany Applicable to all services
Digital Realty (formerly InterXion) Ballerup, Denmark Applicable to Analytic based services
SingleStore Frankfurt, Germany Applicable to Analytic based services
USA based customers
Siteimprove Inc. Minneapolis, USA
Bellevue, USA
Applicable to all services
Amazon Web Services Ohio, USA Applicable to all services
SingleStore (in AWS) Ohio, USA Applicable to Analytic based services

Encryption

Siteimprove assures the confidentiality and integrity of data by using and supporting the latest recommended protocols for encryption.

  • Data in transit - When the Siteimprove platform crawls customer websites it will use the most appropriate level of TLS protocol version (e.g. TLS1.3) and cipher suites as configured by the customer's web servers, ensuring secure communication between your systems and ours.
  • Data at rest - user passwords are salted and hashed using SHA512.
  • Confidential customer data is encrypted using Transparent Data Encryption (TDE).

Pseudonymization is applied, wherever feasible, by separating direct and indirect identifiers to facilitate secure and private processing. Likewise, data is logically segregated to ensure confidentiality of the information.

Backup and retention

Backup of data is completed on a regular and frequent basis. Siteimprove will store data provided by the Customer on its production environments and backups throughout the duration of the Customer’s MSA with Siteimprove. As soon as the MSA between Siteimprove and Customer is terminated, Siteimprove will initiate the deletion of data provided by the Customer. When the MSA between Siteimprove and Customer is terminated, the following will happen:

  • tables in the database containing customer results, history, and specific customizations to Siteimprove platform will be dropped;
  • crawled website data (HTML) and/or any linked documents (such as PDF files) will be deleted;
  • deletion from backups is initiated; due to backup frequency and technical configuration, data will be fully removed from backups ninety (90) days after initiation.

Authorization and access restrictions

The performance of Siteimprove’s Software Services requires some employees to have access to the systems that process data provided by the Customer. These employees are prohibited from using their permissions to view the data unless required to carry out their defined tasks. Technical controls and audit policies are in place to ensure that any access to data provided by the Customer is controlled and logged. Controls and policies are reviewed on a regular basis. Employee access to data is managed in accordance with the “need to know” and “least privilege” principles, ensuring that access is granted only to those employees who require it to perform their tasks. Assignment of access privileges is aligned with the employee’s current job function responsibilities. This includes an annual review of users to ensure correct allocation of access rights. Multifactor authentication is implemented wherever technically feasible and employees’ passwords are protected according to current industry best practices (NIST 800-63).

Anti-malware

Malware and endpoint protection solutions are deployed on all Siteimprove employee’s devices, servers and network perimeter gateways. Procedures and responsibilities for detection, prevention and removal of malware and malicious code are implemented and communicated. Systems, devices and equipment used to access information, and systems provide host protection capabilities including anti-virus and malware detection, anomaly detection and protection and local firewalls. These are configured and managed by central policy and updated automatically. For user endpoints, Siteimprove deploys centrally managed patch management of OS, software, endpoint protection, and automatic deployment capabilities for applications and services. For servers, Siteimprove has the capability to rapidly patch vulnerabilities across all its computing devices, applications, and systems. Patches are assessed before being applied to production infrastructure equipment to minimize the risk of service disruption.

Logging

Employee activities related to data access and processing events are logged with the following details: username, IP address, time of the activity, activity, reason for the activity. User activity logs are kept for durations dependent on the business need. Logs are kept in a centralized logging solution wherever technically feasible. Logs are inspected as part of internal security event monitoring. Monitoring processes are also independently reviewed as part of Siteimprove’s ISAE 3000 and external financial audits.

User management within Siteimprove Platform

The Customer is responsible for user management within Siteimprove Platform. Access roles and rights within the Platform are predefined and detailed in the ‘User Roles’ section of the Siteimprove Help Centre. There is a minimum password policy in place, but this must be configured by the Customer with more information being found on the Password Policy FAQ section of the Siteimprove Help Centre. There is also a possibility to create additional user roles. Regarding authentication, the Platform uses its own repository of users with local authentication. It is possible to configure Single Sign On (SSO) with more information being found on the SSO FAQ section of the Siteimprove Help Centre.

Employee practices and security awareness

Security Awareness training is provided as part of the new employee onboarding program which all new joiners are required to complete. Employees are made aware of security threats and practices during onboarding as well as on an ongoing basis. Employees are required to complete the mandatory annual training which includes security fundamentals, social engineering and data privacy topics. All Siteimprove employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards. Any violation of Siteimprove policies, procedures, or code of conduct may result in disciplinary actions.

Background checks: Where permitted by applicable law, Siteimprove employees undergo a third-party background or reference checks.

Vendor Management Process and Sub-processors

To conduct business effectively, Siteimprove collaborates with various vendors. As part of its Vendor Management Process, Siteimprove assesses the risks tied to the products and services provided by vendors. The Vendor Management Process includes input from the Legal, Information Security, IT and Finance departments. Siteimprove’s vendors are required to commit to standard provisions such as clauses regarding duty of confidentiality. Data processing agreements and other standard contractual clauses are used to further ensure secure collaborations. Siteimprove’s Vendor Management Process includes regular review of vendor security measures. The frequency of review is determined by the criticality and risk rating of the vendor relationship and services.

Physical Security

Data center physical security is managed and operated by Siteimprove’s outsourced data center providers (as listed in Appendix 2). Each data center has appropriate physical security controls in place according to ISO 27001 practices. The controls in place include, but are not limited to, onsite security guards, security patrols, CCTV monitoring, and deployment of access control systems. Access to Siteimprove office locations and restricted areas is granted to authorized individuals and controlled by physical access cards. Visitors only have access to office locations when accompanied an authorized employee.

Control testing

Internal security audit: A programme of internal security audits is completed annually. The objectives of this audit programme are (i) assuring adherence to the Information Security Framework, (ii) monitoring and following-up on regulatory information security requirements relevant to Siteimprove (e.g., Personal Data processing), and (iii) indirectly raising employee awareness around Security and Privacy.

External security audit: Siteimprove undergoes yearly security audits from third parties to obtain an objective view over the effectiveness of its technical and organizational security measures.

Penetration testing: Siteimprove Platform is tested for security vulnerabilities through the completion of independent penetration tests and internal vulnerability assessments.

Provision of Security Documentation

After Customer signs a non-disclosure agreement (‘NDA’), Siteimprove will enable the Customer to review the following documents and information to demonstrate compliance with Siteimprove’s obligations:

  • the certificates issued for Siteimprove infrastructure providers in relation to the ISO 27001 Certification.
  • the current SOC 2 Report for Siteimprove infrastructure providers.
  • the current penetration testing attestation for Siteimprove Platform.
  • the current platform architecture for Siteimprove Platform.

Security contact

Siteimprove does not employ a Data Protection Officer, as the scale and nature of the Processing conducted by Siteimprove does not rise to the amount necessary to appoint one. The single point of contact for Siteimprove security matters is Siteimprove Information Security team: security@siteimprove.com

Customers can subscribe to status.siteimprove.com to be kept up to date with any ongoing incidents and outages. Any upcoming system maintenance updates will also be shown on this page.