Security

Last Updated: April 14th, 2025

Welcome to Squid, a website analytics service provided by ScriptEngine, Inc. ("Squid," "we," "us," or "our").

This Security Policy outlines the technical and organizational measures we implement to safeguard information and the responsibilities of our users to help maintain a secure environment.

For enterprise customers, additional security terms and commitments are set forth in our Data Processing Addendum, available at https://asksquid.ai/dpa.

1. Data Protection and Encryption

We implement robust encryption to protect data throughout its lifecycle:

Data in Transit:

• TLS encryption for all data transmitted between users and our services

• HTTPS enforced across all web interfaces and APIs

• Encrypted connections to all third-party services

Data at Rest:

• AES-256 encryption for data stored in our databases

• Encrypted backups with secure key management

• Encryption of sensitive data fields including personal identifiers

2. Access Control and Authentication

Access to customer data is strictly controlled through multiple layers of security:

Personnel Access:

• Access limited to authorized personnel with legitimate business needs

• Role-based access control (RBAC) with principle of least privilege

• Multi-factor authentication (MFA) required for all administrative access

• Regular access reviews and immediate revocation upon role change or termination

Customer Account Security:

• Strong password requirements enforced

• Multi-factor authentication available for all accounts

• Session timeout and secure session management

• API key rotation and secure credential management

3. Infrastructure Security

Our infrastructure is designed with security as a foundational principle:

Network Security:

• Web Application Firewall (WAF) protecting against common attacks

• DDoS protection through Cloudflare

• Network segmentation and isolation of sensitive systems

• Intrusion detection and prevention measures

Platform Security:

• Regular security patches and updates applied promptly for critical vulnerabilities

• Automated vulnerability scanning and remediation

• Container security and image scanning

• Infrastructure as Code (IaC) with security controls

4. Security Monitoring and Incident Response

We maintain continuous security monitoring and have established incident response procedures:

Monitoring:

• Comprehensive logging and monitoring of security events

• Automated alerting for suspicious activities

• Regular log review and analysis

• Real-time threat detection and response

  
  

Incident Response:

• Documented incident response plan with defined roles and procedures

• Security breach notification within 72 hours of detection as required by applicable law

• Forensic investigation capabilities

• Post-incident analysis and remediation

For details on data breach notification procedures for enterprise customers, see our Data Processing Addendum.

5. Security Audits and Compliance

We regularly assess and validate our security posture:

Audits and Assessments:

• Periodic security assessments by qualified third-party experts

• Regular vulnerability assessments

• Internal security reviews on an ongoing basis

• Continuous compliance monitoring

Compliance Standards:

• GDPR (General Data Protection Regulation) security requirements

• CCPA (California Consumer Privacy Act) security standards

• Industry best practices and frameworks

• Commitment to continuous security improvement

6. Application Security

We follow secure development practices throughout our software lifecycle:

Development:

• Secure coding standards and training for all developers

• Code review and security testing before deployment

• Static and dynamic application security testing

• Dependency scanning and management

API Security:

• API authentication and authorization

• Rate limiting and throttling

• Input validation and sanitization

• Protection against injection attacks and other OWASP Top 10 vulnerabilities

7. Data Backup and Business Continuity

We maintain comprehensive backup and recovery capabilities:

Backup Procedures:

• Automated daily backups of all customer data

• Encrypted backup storage with geographic redundancy

• Regular backup testing and restoration procedures

• 30-day backup retention period

Business Continuity:

• Disaster recovery plan with defined recovery objectives

• Redundant infrastructure across multiple availability zones

• Regular disaster recovery testing

8. Third-Party Security

We carefully vet and monitor all third-party service providers:

Sub-Processor Management:

• Due diligence review of all sub-processors' security practices

• Data Processing Agreements (DPAs) with all sub-processors handling customer data

• Regular security assessments of critical sub-processors

• Complete list of sub-processors available at https://asksquid.ai/subprocessors

Vendor Security:

• Documented vendor management process

• Security requirements in all vendor contracts

• Ongoing monitoring of vendor security posture

9. Data Minimization and Retention

We collect and retain only the data necessary to provide our services:

Data Collection:

• Collection limited to data necessary for service functionality

• Pseudonymization and anonymization where feasible

• No storage of unnecessary personal identifiers

Data Retention:

• Data retained only as long as necessary for service provision or legal requirements

• Secure deletion procedures upon account termination

• Customer-configurable retention settings where applicable

10. Employee Security

Our personnel undergo security training and are bound by strict confidentiality obligations:

Training:

• Security awareness training for all employees

• Specialized training for personnel handling sensitive data

• Regular updates on emerging security threats

Confidentiality:

• Confidentiality agreements for all employees and contractors

• Background checks for personnel with access to sensitive systems

• Clear data handling policies and procedures

11. User Responsibilities

Customers and users play a critical role in maintaining security:

Account Security:

• Maintain confidentiality of account credentials

• Use strong, unique passwords

• Enable multi-factor authentication where available

• Report suspicious activity immediately

Configuration:

• Properly configure consent mechanisms before deploying Squid on websites

• Ensure compliance with applicable privacy laws in your jurisdiction

• Review and configure data retention settings appropriately

Reporting:

• Report any security concerns or vulnerabilities to info@asksquid.ai

• Participate in our responsible disclosure program

12. Security Vulnerability Reporting

We welcome reports of security vulnerabilities:

If you discover a security vulnerability, please report it to:

Email: info@asksquid.ai

We commit to:

• Acknowledge receipt within 48 hours

• Provide an initial assessment within 5 business days

• Work with you to understand and validate the issue

• Remediate confirmed vulnerabilities based on severity

• Keep you informed of our progress

Please do not publicly disclose vulnerabilities until we have had an opportunity to address them.

13. Changes to This Policy

We may update this Security Policy from time to time to reflect changes in our practices or for legal compliance. Changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically.

14. Contact Information

For questions about our security practices:

info@asksquid.ai.