AI SEO Agents is built on AWS with security as a foundational design principle, aligned with the OWASP Top 10 security guidelines and the AWS Well-Architected Security Pillar. Our security practices follow the NIST Cybersecurity Framework for risk management and continuous improvement. This page documents the security architecture, encryption practices, authentication mechanisms, and audit controls that protect your data across over 500 managed sites and millions of API requests per month. For related compliance information, see HIPAA Compliance and Data Privacy.
SEO Platform Infrastructure Security
- Serverless architecture — All compute runs on AWS Lambda. No servers to patch, no SSH access to manage, no persistent attack surface.
- IAM least privilege — Each Lambda function has a dedicated IAM role with permissions scoped to exactly the resources it needs. No function has admin access.
- Network isolation — API Gateway provides the only ingress point. Lambda functions communicate with AWS services via IAM-authenticated API calls, not network connections.
- DDoS protection — AWS Shield Standard protects against volumetric attacks at the network layer. API Gateway throttling prevents application-layer abuse.
Encryption
| Data | At Rest | In Transit |
|---|---|---|
| DynamoDB tables | AWS-managed encryption (AES-256) | TLS 1.2+ |
| S3 articles | SSE-S3 (AES-256) | TLS 1.2+ |
| WordPress credentials | AWS KMS CMK encryption | TLS 1.2+ |
| API keys | SHA-256 hashed (irreversible) | TLS 1.2+ |
| OAuth tokens | AWS Secrets Manager (KMS encrypted) | TLS 1.2+ |
| WebSocket connections | N/A (ephemeral) | WSS (TLS 1.2+) |
Authentication
The API supports dual authentication — Cognito JWT tokens and API keys — with a custom Lambda authorizer that handles both:
- Cognito JWT — Short-lived tokens (1 hour) issued by AWS Cognito User Pool. JWKS-verified on every request. Used by the dashboard frontend.
- API Keys — Long-lived keys prefixed with
sak_. Hashed with SHA-256 before storage in DynamoDB. Used for programmatic access and integrations. - WebSocket auth — JWT token passed as query parameter on
$connect, verified server-side via JWKS.
Credential Handling
- WordPress credentials are stored in AWS Secrets Manager, encrypted with a customer-managed KMS key.
- Credentials are never logged — all Lambda logging strips credential fields before output.
- Credentials are never returned in API responses — the dashboard shows site connection status but never exposes passwords.
- Application Passwords are scoped to the specific WordPress user and can be revoked independently.
We recommend creating a dedicated WordPress user (e.g., "seo-agent-bot") with the Editor role for the Application Password. This follows the principle of least privilege — the agent can create and edit posts but cannot change site settings.
Audit Logging
All API requests are logged via API Gateway access logging. Lambda functions emit structured logs to CloudWatch with correlation IDs for request tracing. DynamoDB Streams can be enabled for change data capture on sensitive tables.
Vulnerability Reporting
If you discover a security vulnerability, please report it via our contact page with the subject line "Security Report". We respond within 24 hours and provide updates within 72 hours.
Data Encryption Architecture
AI SEO Agents implements encryption at every layer of the data lifecycle. The encryption architecture protects against both external threats and internal access misuse, using AWS-native encryption services that are independently audited and validated.
- Encryption at rest: All DynamoDB tables use AWS-managed encryption keys (AES-256) with automatic rotation. S3 buckets use SSE-S3 server-side encryption. WordPress credentials and OAuth tokens are encrypted with customer-managed KMS keys (CMK) in AWS Secrets Manager.
- Encryption in transit: All communication uses TLS 1.2 or higher. Internal service-to-service communication uses AWS SDK encryption. WebSocket connections require WSS (WebSocket Secure) protocol.
- Key management: Three tiers of encryption keys: AWS-managed keys for general data, customer-managed KMS keys for sensitive credentials, and SHA-256 hashing for API keys (never stored in reversible form).
- Client-side encryption: For enterprise customers with BYOK requirements, client-side encryption of article content before S3 storage is available. Contact our team to configure this with your own KMS key.
Key Management and Rotation
Encryption is only as strong as the key management practices behind it. AI SEO Agents implements a multi-tier key management strategy using AWS KMS with automatic rotation:
- AWS-managed keys (Tier 1) — Used for DynamoDB table encryption and S3 server-side encryption. These keys rotate automatically every year and require no customer action. AWS manages the entire lifecycle.
- Customer-managed KMS keys (Tier 2) — Used for sensitive data: WordPress credentials, OAuth tokens, and API key salts. These keys support custom rotation policies (recommended: every 90 days) and provide detailed CloudTrail audit logs for every key usage event.
- Envelope encryption pattern — Data is encrypted with a data key, and the data key itself is encrypted with the KMS master key. This means even if a data key is compromised, it only affects a single record — not the entire dataset. Re-encryption with a new data key is automatic during key rotation.
- Key access auditing — Every KMS key usage (encrypt, decrypt, generate data key) is logged in CloudTrail with the calling Lambda function, timestamp, and operation. We review key access patterns monthly to detect anomalies.
Platform Access Controls and Permissions
The platform implements defense-in-depth access controls at infrastructure, application, and data layers. Every request is authenticated, authorized, and scoped to the requesting user's resources.
| Control Layer | Mechanism | Scope |
|---|---|---|
| API Gateway | Lambda authorizer validates JWT or API key on every request | All endpoints except /health |
| Lambda IAM | Each function has least-privilege IAM role | Per-function, per-resource |
| DynamoDB | All queries include user_id condition for data isolation | Per-user, per-record |
| S3 | Bucket policy restricts access to Lambda execution roles | Per-bucket, per-prefix |
| Secrets Manager | IAM policy limits access to specific Lambda functions | Per-secret |
| WebSocket | JWT verification on $connect, ownership check on subscribe | Per-connection, per-job |
Enterprise accounts have role-based access control (RBAC) with roles including Owner (full access), Editor (content management), Viewer (read-only dashboard), and Billing (subscription management). Manage roles through Settings or the API.
Comprehensive Audit Logging
Every action generates an audit log entry capturing the who, what, when, and where of each operation. Audit logs support security monitoring, incident investigation, and compliance reporting.
- API access logs: Every request logged with method, path, source IP, authentication method, response status, and latency. Stored in CloudWatch with 90-day retention.
- Agent activity logs: Every tool call during a job recorded as a progress event — tool name, parameters (credentials redacted), output summary, and token usage.
- Authentication events: Login attempts, token refreshes, API key creation/revocation, and SSO events logged with user identity and source IP.
- Administrative actions: Changes to agent configs, site connections, webhooks, and permissions logged with before/after snapshots.
- Data access logs: S3 access logging captures every read/write request to article content.
Enterprise customers can export audit logs to their SIEM system (Splunk, Datadog, Elastic) via CloudWatch log subscription filters. Contact our team to configure log forwarding.
Vulnerability Management Program
- 1Dependency scanning: All Python and JavaScript dependencies scanned for known vulnerabilities in CI/CD. Critical vulnerabilities patched within 24 hours.
- 2Container scanning: The WP Publisher Docker image scanned for OS-level vulnerabilities before every deployment. Minimal base images only.
- 3Penetration testing: Annual third-party penetration tests cover the API, WebSocket, and dashboard. Results remediated within agreed SLAs.
- 4Bug bounty: Security researchers reporting valid vulnerabilities receive acknowledgment and may be eligible for rewards.
Incident Response Plan
Detection and alerting
CloudWatch alarms monitor for anomalous patterns including unusual error rates, authentication failures, and data exfiltration indicators. Alerts reach the on-call engineer within 5 minutes.
Containment
Immediate actions: revoking compromised credentials, blocking suspicious IPs, disabling affected API keys, or isolating compromised Lambda functions.
Investigation
Security team reviews audit logs, CloudTrail events, and CloudWatch metrics to determine root cause, impact scope, and data involved.
Remediation and recovery
Patches applied and validated. Affected credentials rotated. Users receive guidance on needed actions.
Communication
Affected customers notified within 72 hours of confirming a data-impacting incident, per GDPR and our Data Privacy Policy.
Compliance Certifications
| Framework | Status | Availability |
|---|---|---|
| SOC 2 Type II | Aligned (audit in progress) | Enterprise customers on request |
| GDPR | Compliant | All customers |
| CCPA | Compliant | All customers |
| HIPAA | Available with BAA | Enterprise — see HIPAA Compliance |
| ISO 27001 | Inherited from AWS | Available on request |
Security Testing Methodology
Security is not a one-time achievement — it requires continuous validation. Our testing methodology covers the full application lifecycle:
- Automated dependency scanning — Every deployment triggers automated scans of Python and JavaScript dependencies against the CVE database. Critical vulnerabilities (CVSS 9.0+) block deployment automatically and are patched within 24 hours. High vulnerabilities (CVSS 7.0+) are patched within 7 days.
- Static application security testing (SAST) — Source code is analyzed for common vulnerability patterns including injection flaws, authentication weaknesses, and insecure data handling. SAST runs on every pull request as a CI/CD gate.
- Annual penetration testing — Third-party security firm conducts comprehensive penetration tests covering the REST API, WebSocket API, dashboard frontend, and WordPress integration layer. All findings are remediated within agreed SLAs, and retest confirms remediation.
- Infrastructure scanning — AWS Config rules continuously monitor for security misconfigurations: public S3 buckets, overly permissive IAM policies, unencrypted resources, and missing logging. Non-compliant resources trigger automated remediation.
Compliance Roadmap
Our compliance posture is actively expanding to meet the requirements of enterprise customers across regulated industries. Here is the current timeline:
| Framework | Current Status | Target Date | What It Means for Customers |
|---|---|---|---|
| SOC 2 Type II | Audit in progress — controls implemented and evidence collection underway | Q3 2026 | Independent verification of security controls over a 6-month observation period |
| ISO 27001 | Inherited from AWS infrastructure; application-level certification planned | Q1 2027 | International standard for information security management systems |
| GDPR | Fully compliant — DPA available | Complete | EU data protection for all customers, including data subject access requests |
| HIPAA | Available with BAA on Enterprise plans | Complete | Healthcare data handling with encryption and audit controls |
Enterprise customers can request our current security questionnaire responses, penetration test executive summary, and compliance documentation by contacting our security team. We respond to vendor security assessments within 5 business days.
Security Monitoring and Alerting
Real-time security monitoring detects and responds to threats before they impact customers. Our monitoring stack processes thousands of security events per minute:
- CloudWatch anomaly detection — Machine learning models baselined on normal API traffic patterns detect unusual request volumes, error rate spikes, and authentication failure patterns. Anomalies trigger PagerDuty alerts to the on-call security engineer within 5 minutes.
- Authentication monitoring — Failed login attempts are tracked per user and per IP. After 5 consecutive failures, the IP is temporarily blocked (15-minute cooldown). Sustained brute-force attempts trigger permanent IP bans reviewed by the security team.
- Data exfiltration detection — Unusual data access patterns (e.g., a single user downloading all articles across all agents) trigger alerts. API responses include rate limiting that caps bulk data extraction to plan-appropriate levels.
- CloudTrail analysis — All AWS API calls are logged and analyzed for privileged action patterns: IAM changes, KMS key access, S3 bucket policy modifications, and Lambda function updates. Changes outside of the CI/CD pipeline trigger immediate alerts.
Related Documentation
- SSO Configuration — Enterprise single sign-on setup.
- HIPAA Compliance — Healthcare data handling requirements.
- Data Privacy — Data retention, isolation, and deletion policies.
About AI SEO Agents
Built on AWS with Claude AI, our platform automates SEO analysis, content generation, and WordPress publishing for sites worldwide. Trusted by agencies and businesses managing multi-site SEO at scale. See real results →