Security is our absolute highest priority. Here are the measures we take to protect and defend the SSLforSaaS platform.
All systems operational
TLS 1.3 enforced on all endpoints
SOC 2 aligned practices
Data & Storage
We protect your data
All data is written to multiple disks instantly, backed up daily, and stored in multiple geographically distributed locations. No single point of failure can compromise your data.
Multi-disk replication
Every write is instantly replicated to multiple disks, eliminating hardware failure as a risk.
Daily encrypted backups
Automated daily backups with AES-256 encryption, retained across multiple geographic regions.
Multi-region storage
Data is distributed across geographically separated data centers to guarantee availability.
99.99% uptime SLA
Our infrastructure is designed and monitored to maintain our published service level agreement.
Privacy
Your users' data never leaves our servers
We draw a strict line between data about you and data about your users. While your billing information is shared with our payment processor, and your account profile is accessible in our support tools — any data about your users (such as their custom domain names) is never shared with any external providers and never leaves our server cluster.
What we store about your users
Only the information necessary for SSL certificate lifecycle management — specifically the custom domain name — is retained. This data is used exclusively for certificate provisioning, renewal, and re-issuance. We do not build profiles or analytics from your users' domain data.
Logging
We don't collect or store traffic information
When SSLforSaaS is set up, only information regarding the SSL certificate of a custom domain is saved. We do not log or retain HTTP traffic, request payloads, or visitor data passing through provisioned domains.
No HTTP traffic logging on provisioned domains
Application logs are permanently deleted after 14 days
Certificate metadata retained only as long as the domain is active
No analytics or telemetry collected from custom domain traffic
Encryption
Encrypting data in transit
Whenever data is in transit between you and our platform, everything is encrypted end-to-end. We enforce modern transport security across all connections — no exceptions.
TLS 1.3 enforced
All API endpoints, the dashboard, and the provisioning pipeline run exclusively over TLS 1.3.
Secure cookies
All session cookies are set with the Secure and HttpOnly flags to prevent interception and XSS access.
HSTS preloaded
HTTP Strict Transport Security is enforced to prevent protocol downgrade attacks across all our domains.
No legacy protocols
SSLv3, TLS 1.0, and TLS 1.1 are fully disabled. Only TLS 1.2 (for compatibility) and TLS 1.3 are accepted.
Infrastructure
Hosted on Google Cloud Platform
SSLforSaaS is hosted on Google Cloud Platform. Our database is managed by Google Cloud SQL, ensuring redundancy, high availability, and trustworthy automated encrypted backups.
GCP Compliance Certifications
Google Cloud Platform is certified for ISO 27001, SOC 1/2/3, PCI DSS, HIPAA, and FedRAMP, and undergoes several independent third-party audits for data safety, privacy, and security. Read more about GCP compliance →
Dedicated VPC network with locked-down firewall rules and no public database exposure
Managed Cloud SQL with automatic failover, point-in-time recovery, and encrypted backups
Infrastructure updated regularly with the latest security patches and OS hardening
Cloud Armor DDoS protection and Web Application Firewall on all external endpoints
Organization
Organizational security practices
Security is built into how we work as a team, not just into our technology. We operate under the principle of least privilege and enforce strong access controls across all internal systems.
Least-privilege access. Employees are assigned the lowest level of access that allows them to perform their work. Permissions are reviewed regularly and revoked when no longer needed.
Two-factor authentication. 2FA is enforced on all sensitive internal systems — including GCP, code repositories, and the admin dashboard.
Password management. All employees use approved password managers (1Password or equivalent) to generate and store unique, strong passwords that are never reused across systems.
Device security. All employees encrypt local hard drives and enable screen locking. Customer data is never stored on personal devices.
Restricted admin access. Access to application admin functionality is restricted to a small, named subset of SSLforSaaS staff, with all actions fully audited.
Engineering
Engineering & deployment security
Our software development lifecycle includes security checkpoints at every stage — from code review to production deployment.
Continuous Integration testing. All code changes are thoroughly tested through our CI pipeline before merging, with automated test suites covering security regression scenarios.
Staging environment. Every change is tested in a production-identical staging environment before it is deployed to customers.
Dependency vulnerability scanning. We use automated tools to detect known security vulnerabilities in dependencies and are aggressive about patching and deploying fixes quickly.
Uptime monitoring. Multiple synthetic probes monitor uptime 24/7. Key engineers receive automated alerts via email and SMS for any incident.
Log retention policy. Application logs are automatically and permanently deleted after 14 days in accordance with our data minimization principle.
Testing
Penetration testing
On top of our development-related continuous testing, we conduct periodic third-party manual penetration testing of both our application layer and underlying infrastructure.
Third-party pen testing
Independent security firms perform application and infrastructure penetration tests on a scheduled basis.
Continuous vulnerability scanning
Automated scanners run continuously against our infrastructure to identify newly disclosed vulnerabilities before they can be exploited.
Responsible disclosure
We partner with external security researchers and have a clear process for receiving and acting on responsible vulnerability disclosures.
Remediation tracking
All findings from penetration tests are tracked to resolution with defined SLAs based on severity classification.
Payments
We protect your billing information
All credit card transactions are processed via Stripe using secure encryption — the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely on a PCI-Compliant network.
We never touch raw card data
SSLforSaaS never sees, stores, or has access to your full credit card number, CVV, or billing address. All sensitive payment data is handled entirely by Stripe on their PCI DSS Level 1 certified infrastructure — the highest level of payment security certification available.
Incident Response
Have a concern? Need to report an incident?
Keeping customer data safe is a top priority and a shared responsibility. Your input and feedback on our security is always appreciated.
Contact our security team
Have you noticed abuse, misuse, an exploit, or experienced an incident? Send urgent or sensitive reports directly to our security address. We respond within 24 hours — please follow up if you don't hear back. For non-urgent requests, submit a general support ticket.
Our full suite of legal and compliance documents. Security doesn't exist in isolation — it's backed by clear commitments across our terms, privacy practices, and service agreements.