Trust · Engineering

Security overview.

How we run SpotRivals safely. Encryption, access control, monitoring, incident response. Honest about where we are with formal certifications.

Versionv1.0
EffectiveMay 1, 2026
Last updatedMay 4, 2026
StatusActive

Plain-English summary

How we run SpotRivals safely.

  • EU-only data residency. Application, database, and backups on a single Hetzner server in Germany.
  • TLS in transit, AES-256 at rest for backups and the database volume. Passwords stored as a salted one-way hash by WordPress core.
  • Production access via SSH key + MFA only. No shared credentials, no password-based SSH, no admin panel exposed to the public internet.
  • Daily backups, 35-day rolling retention. Encrypted at rest, restorable to a clean host.
  • Sentry for error monitoring; security log review on a weekly cadence; documented incident-response plan.
  • No SOC 2 yet. We are a small team and we will not pretend otherwise. The roadmap section is honest about what is on the horizon.

This page describes the technical and organisational measures SpotRivals uses to protect customer data. It is normative: a stack change that materially reduces protection requires an update here and a 30-day notice to account owners.

Architecture#

SpotRivals runs on a single VPS at Hetzner Online GmbH, in a German data centre. The stack is intentionally small:

Web layer
Nginx reverse-proxying PHP-FPM in front of WordPress (Bedrock layout).
Application
A custom WordPress theme + a competitor-monitoring plugin that schedules scrapes via Action Scheduler.
Database
MariaDB on the same host, listening only on the loopback interface.
Scrapers
Headless HTTP fetchers running as queued jobs; identify themselves as SpotRivalsBot.
AI
Claude (Anthropic API) called server-side; analyses are cached in the database.

A single host is unusual for a SaaS. We are deliberate about it: smaller surface area, simpler reasoning, faster recovery. We will scale out when monitoring volume demands it, and this section will be updated when we do.

Encryption#

  • In transit: TLS 1.2 minimum (TLS 1.3 preferred) for all customer-facing traffic. HSTS enabled with max-age=31536000 and includeSubDomains. Certificates issued by Let’s Encrypt, auto-renewed.
  • At rest: Backups are encrypted with AES-256 before being moved off the production host. The MariaDB data volume is encrypted at the disk level.
  • Application secrets: Stripe keys, Anthropic API key, Resend SMTP credentials, Sentry DSN, and database credentials live in environment variables outside the web root.
  • Passwords: WordPress core stores user passwords as salted one-way hashes. We never store, log, or have visibility into raw passwords.

Access control#

  • Production server: SSH key authentication only. Two-factor on the account that holds the SSH key. Root login disabled.
  • WordPress admin: Restricted to a small set of staff accounts. XML-RPC is disabled.
  • Database: No direct external access. Read/write only by the application user.
  • Third-party dashboards (Stripe, Resend, Sentry, Anthropic, Hetzner) require MFA on every staff account.
  • Principle of least privilege: Staff get the narrowest scope that lets them do their job. Access is reviewed on departure.

Authentication#

Customer authentication uses the WordPress core auth flow:

  • Email + password sign-in with rate-limiting on failed attempts.
  • Session cookies are first-party, HttpOnly, Secure, and SameSite=Lax; they expire after 14 days.
  • Password resets require email confirmation; reset links expire in 24 hours.

Customer-facing two-factor authentication (TOTP) is on the near-term roadmap; SSO/SAML for Pro accounts will follow.

Backups#

  • Cadence: Database snapshots daily; full filesystem snapshots weekly.
  • Retention: 35-day rolling window. Older snapshots are deleted automatically.
  • Storage: Encrypted at rest with AES-256 and replicated to a second EU region within Hetzner.
  • Restoration tests: A backup is restored to a clean host at least once per quarter to verify recovery procedures.

Monitoring and logging#

  • Errors: Application errors are sent to Sentry (EU region). Stack traces and request context are captured; request bodies are not.
  • Server logs: Nginx, PHP-FPM, and SSH logs are kept for 90 days locally with restricted access.
  • Security events: Failed login attempts, anomalous request patterns, and suspended accounts are reviewed weekly.
  • Uptime: External monitoring pings the public endpoints every minute.

Incident response#

We maintain a documented incident-response plan with assigned roles (incident commander, communications lead, scribe) and an on-call rotation. The plan covers triage, containment, customer communication, post-mortem, and notification under GDPR Article 33.

For breaches affecting customer personal data: 72 hours from awareness, follow-up incident report within 14 days.

Vulnerability disclosure#

If you find a security vulnerability in SpotRivals, please email security@spotrivals.com with a description, reproduction steps, and the impact you observed. We will:

  1. Acknowledge within 2 business days.
  2. Triage and respond with our assessment within 7 business days.
  3. Fix critical issues as fast as we can; coordinate disclosure timing with you.
  4. Credit you in the next changelog entry, with your permission.

We do not currently run a paid bug bounty. Please do not test against live customer accounts; create a free trial and use that.

Certifications#

We are honest about where we are:

SOC 2
Not currently certified. We will pursue SOC 2 Type II if and when our customer base requires it.
ISO 27001
Not currently certified. Same reasoning.
GDPR
Compliant by design (data minimisation, purpose limitation, EU residency, sub-processor disclosure, in-product export and deletion).
PCI DSS
Out of scope. We never see card numbers; Stripe handles all PCI-relevant processing.

Sub-processor security#

We use five sub-processors. Before engaging any of them, we review their security posture. Each is scoped to the narrowest job we can give them.

Sub-processor What it does Data touched Region
Stripe
Stripe Payments Europe, Ltd.
 Subscription billing, card processing, invoicing, VAT IDs. Email, name, billing address, card details (we never see the full card). EU US
Anthropic
Anthropic PBC
 Claude AI analysis of detected page changes (zero-retention contract). Public competitor page diff text. No account identifiers. Not retained for training. US
Resend
Resend, Inc.
 Sending the weekly Monday digest, instant alerts, and transactional emails (login, receipts). Email, display name, message body. US
Sentry
Functional Software, Inc.
 Error monitoring. Captures stack traces and request context when something breaks server-side. IP address, user-agent, the URL where the error happened, optionally the user ID. No request bodies. EU
Hetzner
Hetzner Online GmbH
 Application hosting, database, file storage, scheduled scrapers. Single VPS in the EU. Everything in the Privacy policy categories: account, product, operational. EU

Found something we should know?

Email security@spotrivals.com. We acknowledge within 2 business days.

Email us

The rest of the legal & trust set

All documents →
Trust · AI

AI use policy

One AI vendor, one job. Anthropic Claude reads the diff and writes a strategic-impact line. No training on your inputs. EU AI…

 Trust · Entity

Legal information

Who runs SpotRivals: trade name, legal form, KvK, BTW, registered address. Single source of entity truth. Currently pending KvK registration; placeholders are…

 Most read

Privacy policy

What we collect, what we do with it, and what we will not do with it. Plain-English summary at the top, the…
The brief is the product. The legal is the floor.

Get the Monday brief on your competitors.

14-day free trial, no card. Cancel inside the dashboard with one click.

Start free trial Back to legal & trust