1. Security program
SmartGEO is built for controlled SEO and GEO operations. The product handles sensitive integration credentials, website audit data, Search Console data, CMS mappings, approvals, and publication workflows, so security is treated as part of the product design.
2. Current safeguards
We use layered technical and organizational controls to reduce risk.
- HTTPS-only production access through geo4seo.com and api.geo4seo.com.
- Encrypted storage for CMS and Google integration credentials.
- Human approval, final preview, CMS mapping checks, and rollback-oriented write paths for publishing workflows.
- Rate limits and abuse controls on authentication, email, CMS, and API flows.
- Separate production workers for crawl, schedule, GSC sync, and measurement jobs.
- Health checks for API, frontend, MongoDB, Redis, and workers.
- Sentry monitoring for production errors and incident investigation.
- Secrets managed through production environment variables, not committed to the repository.
- Repository security reviews, dependency checks, and targeted tests before release batches.
3. Customer responsibilities
Security also depends on correct customer configuration.
- Use least-privilege Google, CMS, and WordPress application credentials.
- Revoke credentials immediately if they are exposed or no longer needed.
- Allow SmartGEO through Cloudflare or WAF rules only for the required API paths and only from trusted SmartGEO IPs.
- Review previews before approving publication.
- Keep CMS platforms, plugins, themes, and companion plugins updated.
- Remove users who should no longer access a workspace or connected system.
4. Responsible disclosure
If you believe you found a vulnerability in SmartGEO, please report it responsibly to smartgeo@galylio.com with the subject line 'Security report'.
Include affected URL, steps to reproduce, impact, screenshots or logs if useful, and whether any customer data may have been accessed.
5. Testing rules
Do not run destructive tests, denial-of-service tests, social engineering, spam, credential stuffing, data exfiltration, or tests against customer websites or CMS instances without written permission.
We do not authorize testing that harms availability, integrity, privacy, or third-party systems.
6. Response process
We aim to acknowledge valid security reports within a reasonable period, investigate severity, apply fixes according to risk, and coordinate disclosure when appropriate.
Eligibility for any recognition, bounty, or credit is not guaranteed unless a separate written program is published.
7. Incidents
If we confirm a security incident affecting customer data, we will investigate, contain, remediate, and notify affected parties as required by applicable law and contractual commitments.