Skip to content
Security & vendor overview

Everything your reviewer needs, in plain language

A whitepaper-style summary of how GrowMyWebsite handles identity, data, auditability, and security — written for a procurement or legal reviewer, and scrupulously honest about what we've earned versus what's still on the roadmap.

Identity & access

Who can get in, and what they can do

Controls over authentication, roles, and approval before anything is published.

Single sign-on (SAML 2.0)

Enterprise customers can connect their identity provider over SAML 2.0 — self-serve where your IdP is supported, with assisted setup otherwise. SCIM auto-provisioning is on our roadmap, not yet available.

Role-based access control

Enforced roles (admin / member / viewer) scope what each user can see and do. Publishing content, social posts, and replies runs through an approval step before anything goes live.

Two-factor authentication

Users can turn on TOTP-based two-factor authentication for their own accounts. Organization-wide enforced MFA is on our roadmap.

Data governance

The customer owns the data

Export, deletion, and residency — the fundamentals a procurement team checks first.

You own your data — and can take it with you

Download a full export of your account data — projects, audits, content, leads, backlinks, competitors, prompts, reviews, contacts, activity log and everything else you own — as a single file, any time from your dashboard. Your information is yours; we don't lock it in.

Self-serve account deletion

Delete your account yourself, any time, from your dashboard. We cancel any active billing, remove the data you own, and delete your login immediately — no email required. GDPR and CCPA/CPRA data-subject rights are honored worldwide.

US-hosted, data-minimizing

Application and database infrastructure is hosted in the United States. We practice data minimization — collecting only what's needed to run the service.

Auditability

A tamper-evident audit log

One of the strongest controls we can show a reviewer: a real, append-only, cryptographically chained record of sensitive actions.

How it works

  • Every sensitive action is recorded in an append-only audit log — entries can be added but not edited or deleted.
  • The log is tamper-evident: records are cryptographically hash-chained, so any alteration to a past entry breaks the chain and is detectable.
  • The log is exportable with verification, so your own security or compliance team can independently confirm its integrity.
Security posture

Encryption, least privilege, and vetted vendors

The baseline security controls, summarized. Full detail lives on our security page.

Encryption in transit & at rest

All traffic is served over HTTPS/TLS. Our managed Postgres database (Supabase) encrypts stored data at rest by default.

Least-privilege access

Sensitive operations run server-side with scoped service credentials. Internal admin areas are gated and not reachable by regular accounts.

Vetted subprocessors

We rely on a short list of established providers, each with a strong security track record. The full list and purposes are published on our security page.

SubprocessorPurpose
VercelApplication hosting & global CDN
SupabaseDatabase & authentication
StripeCard payment processing
NOWPaymentsCryptocurrency payment processing (optional)
AnthropicAI processing (audits & content)
ResendTransactional email delivery
PostHogPrivacy-respecting product analytics
Certifications

On our roadmap — not yet earned

We will never claim a certification we haven't earned. Here's the honest status of the attestations and capabilities reviewers often ask about.

Not yet in place

  • SOC 2 Type II — targeted; not yet audited
  • ISO 27001 — targeted; not yet certified
  • FedRAMP authorization — long-term; not yet in process
  • SCIM auto-provisioning & directory sync — roadmap
  • Formal contractual SLA with service credits — roadmap (see our SLA page)
  • Dedicated single-tenant isolation — roadmap

If any of these is a hard requirement before purchase, tell us — we'll say honestly where each item stands and whether we can meet your timeline. See our security page for the full public-sector posture and our SLA page for reliability.

For procurement & legal

What your team can request

Email us and we'll turn these around quickly so you can complete your review.

Data Processing Agreement (DPA)

Signed on request for organizations that need one.

VPAT / Accessibility Conformance Report (ACR)

Available on request; also generate one with our free tool.

Security & privacy questionnaire

We complete standard vendor questionnaires.

W-9 & vendor onboarding forms

Provided for vendor setup.

Invoicing by PO / ACH

Available for annual plans.

Master Services Agreement (MSA)

Available on request. Our MSA sets out the commercial and legal terms of the relationship — scope of service, fees and payment, confidentiality, data protection, warranties and disclaimers, liability, and termination. We share the actual document on request; the terms are reviewed with counsel before signing.

Send requests to hello@growmywebsite.com.

This overview is a plain-language summary of our security, data, and vendor practices for evaluation purposes. It is not a contract, a warranty, or legal advice, and it does not grant any certification. Binding terms — including any DPA, MSA, or SLA — are set out in the relevant signed agreement. We update this page as the platform evolves.

Grow with a vendor you can verify

Create your free site in minutes — no credit card, and you own and export everything you build.