AI SEO Agents is built on AWS with security as a foundational design principle. This page documents the security architecture, encryption practices, authentication mechanisms, and audit controls that protect your data.
Infrastructure Security
- Serverless architecture — All compute runs on AWS Lambda. No servers to patch, no SSH access to manage, no persistent attack surface.
- IAM least privilege — Each Lambda function has a dedicated IAM role with permissions scoped to exactly the resources it needs. No function has admin access.
- Network isolation — API Gateway provides the only ingress point. Lambda functions communicate with AWS services via IAM-authenticated API calls, not network connections.
- DDoS protection — AWS Shield Standard protects against volumetric attacks at the network layer. API Gateway throttling prevents application-layer abuse.
Encryption
| Data | At Rest | In Transit |
|---|---|---|
| DynamoDB tables | AWS-managed encryption (AES-256) | TLS 1.2+ |
| S3 articles | SSE-S3 (AES-256) | TLS 1.2+ |
| WordPress credentials | AWS KMS CMK encryption | TLS 1.2+ |
| API keys | SHA-256 hashed (irreversible) | TLS 1.2+ |
| OAuth tokens | AWS Secrets Manager (KMS encrypted) | TLS 1.2+ |
| WebSocket connections | N/A (ephemeral) | WSS (TLS 1.2+) |
Authentication
The API supports dual authentication — Cognito JWT tokens and API keys — with a custom Lambda authorizer that handles both:
- Cognito JWT — Short-lived tokens (1 hour) issued by AWS Cognito User Pool. JWKS-verified on every request. Used by the dashboard frontend.
- API Keys — Long-lived keys prefixed with
sak_. Hashed with SHA-256 before storage in DynamoDB. Used for programmatic access and integrations. - WebSocket auth — JWT token passed as query parameter on
$connect, verified server-side via JWKS.
Credential Handling
- WordPress credentials are stored in AWS Secrets Manager, encrypted with a customer-managed KMS key.
- Credentials are never logged — all Lambda logging strips credential fields before output.
- Credentials are never returned in API responses — the dashboard shows site connection status but never exposes passwords.
- Application Passwords are scoped to the specific WordPress user and can be revoked independently.
We recommend creating a dedicated WordPress user (e.g., "seo-agent-bot") with the Editor role for the Application Password. This follows the principle of least privilege — the agent can create and edit posts but cannot change site settings.
Audit Logging
All API requests are logged via API Gateway access logging. Lambda functions emit structured logs to CloudWatch with correlation IDs for request tracing. DynamoDB Streams can be enabled for change data capture on sensitive tables.
Vulnerability Reporting
If you discover a security vulnerability, please report it via our contact page with the subject line "Security Report". We respond within 24 hours and provide updates within 72 hours.
Data Encryption Architecture
AI SEO Agents implements encryption at every layer of the data lifecycle. The encryption architecture protects against both external threats and internal access misuse, using AWS-native encryption services that are independently audited and validated.
- Encryption at rest: All DynamoDB tables use AWS-managed encryption keys (AES-256) with automatic rotation. S3 buckets use SSE-S3 server-side encryption. WordPress credentials and OAuth tokens are encrypted with customer-managed KMS keys (CMK) in AWS Secrets Manager.
- Encryption in transit: All communication uses TLS 1.2 or higher. Internal service-to-service communication uses AWS SDK encryption. WebSocket connections require WSS (WebSocket Secure) protocol.
- Key management: Three tiers of encryption keys: AWS-managed keys for general data, customer-managed KMS keys for sensitive credentials, and SHA-256 hashing for API keys (never stored in reversible form).
- Client-side encryption: For enterprise customers with BYOK requirements, client-side encryption of article content before S3 storage is available. Contact our team to configure this with your own KMS key.
Access Controls and Permissions
The platform implements defense-in-depth access controls at infrastructure, application, and data layers. Every request is authenticated, authorized, and scoped to the requesting user's resources.
| Control Layer | Mechanism | Scope |
|---|---|---|
| API Gateway | Lambda authorizer validates JWT or API key on every request | All endpoints except /health |
| Lambda IAM | Each function has least-privilege IAM role | Per-function, per-resource |
| DynamoDB | All queries include user_id condition for data isolation | Per-user, per-record |
| S3 | Bucket policy restricts access to Lambda execution roles | Per-bucket, per-prefix |
| Secrets Manager | IAM policy limits access to specific Lambda functions | Per-secret |
| WebSocket | JWT verification on $connect, ownership check on subscribe | Per-connection, per-job |
Enterprise accounts have role-based access control (RBAC) with roles including Owner (full access), Editor (content management), Viewer (read-only dashboard), and Billing (subscription management). Manage roles through Settings or the API.
Comprehensive Audit Logging
Every action generates an audit log entry capturing the who, what, when, and where of each operation. Audit logs support security monitoring, incident investigation, and compliance reporting.
- API access logs: Every request logged with method, path, source IP, authentication method, response status, and latency. Stored in CloudWatch with 90-day retention.
- Agent activity logs: Every tool call during a job recorded as a progress event — tool name, parameters (credentials redacted), output summary, and token usage.
- Authentication events: Login attempts, token refreshes, API key creation/revocation, and SSO events logged with user identity and source IP.
- Administrative actions: Changes to agent configs, site connections, webhooks, and permissions logged with before/after snapshots.
- Data access logs: S3 access logging captures every read/write request to article content.
Enterprise customers can export audit logs to their SIEM system (Splunk, Datadog, Elastic) via CloudWatch log subscription filters. Contact our team to configure log forwarding.
Vulnerability Management Program
- 1Dependency scanning: All Python and JavaScript dependencies scanned for known vulnerabilities in CI/CD. Critical vulnerabilities patched within 24 hours.
- 2Container scanning: The WP Publisher Docker image scanned for OS-level vulnerabilities before every deployment. Minimal base images only.
- 3Penetration testing: Annual third-party penetration tests cover the API, WebSocket, and dashboard. Results remediated within agreed SLAs.
- 4Bug bounty: Security researchers reporting valid vulnerabilities receive acknowledgment and may be eligible for rewards.
Incident Response Plan
Detection and alerting
CloudWatch alarms monitor for anomalous patterns including unusual error rates, authentication failures, and data exfiltration indicators. Alerts reach the on-call engineer within 5 minutes.
Containment
Immediate actions: revoking compromised credentials, blocking suspicious IPs, disabling affected API keys, or isolating compromised Lambda functions.
Investigation
Security team reviews audit logs, CloudTrail events, and CloudWatch metrics to determine root cause, impact scope, and data involved.
Remediation and recovery
Patches applied and validated. Affected credentials rotated. Users receive guidance on needed actions.
Communication
Affected customers notified within 72 hours of confirming a data-impacting incident, per GDPR and our Data Privacy Policy.
Compliance Certifications
| Framework | Status | Availability |
|---|---|---|
| SOC 2 Type II | Aligned (audit in progress) | Enterprise customers on request |
| GDPR | Compliant | All customers |
| CCPA | Compliant | All customers |
| HIPAA | Available with BAA | Enterprise — see HIPAA Compliance |
| ISO 27001 | Inherited from AWS | Available on request |
Related Documentation
- SSO Configuration — Enterprise single sign-on setup.
- HIPAA Compliance — Healthcare data handling requirements.
- Data Privacy — Data retention, isolation, and deletion policies.