Security

You hand us the keys. Here’s how we treat them.

A done-for-you service only works if you can safely hand over access — so security isn’t a checkbox for us, it’s the product’s foundation. This page says exactly how your data and credentials are handled. Plain English, verifiable claims.

01

Credentials encrypted at rest — AES-256-GCM

Anything secret you share in onboarding is encrypted with AES-256-GCM before it reaches the database. The encryption key lives only in our server environment — never in code, never client-side. Decryption happens server-side, only when your strategist is actively working, behind an admin allowlist.

02

Invites over passwords, wherever possible

For Google Business Profile we ask for a manager invite to our ops account instead of your password. The best credential is the one you never have to share — and an invite you can revoke in one click keeps you in control.

03

Row-level security on every tenant table

Client data is isolated at the DATABASE layer with Postgres row-level security — every tenant table enforces org-scoped policies, so one client’s workspace physically cannot read another's, even if application code had a bug. Defense in depth, not app-layer promises.

04

Least-access operations

The cross-client admin portal is gated to a fixed allowlist of agency emails, checked server-side on every request and every action. Sessions come from Supabase Auth; there are no shared logins and no client-side trust.

05

Evidence storage, private by default

Files we attach to your plan (screenshots, reports) live in a private bucket. Nothing is public; the links your dashboard renders are short-lived signed URLs minted per view.

06

Email you can trust

Outbound mail is DKIM/SPF-authenticated from our verified domain, and any address that bounces or marks us as spam is automatically suppressed — we never mail it again. Your inbox reputation and ours are protected by the same system.

07

Honest measurement, no data games

Visibility checks send engines your business name and public buyer questions — never your credentials, never your customers' data. Every stored answer is labeled with the engine that produced it and an honest confidence band.

Found a vulnerability? Email team@ranknext.iowith “security” in the subject — a human reads it same-day, and we’ll credit you if you want. Related: Privacy · Terms.

Handover without the anxiety.

Most owners hand over access in under ten minutes — because the safe way is also the easy way.

Invite-first · encrypted at rest · revoke anytime