Data Security at Sitefy
Last Updated: 12/2/2026
Applies to: All services operated globally
At Sitefy (“Sitefy”, “we”, “us”, or “our”), data security is foundational to how we build, operate, and scale our technology.
We follow a defense-in-depth approach that combines technical safeguards, operational discipline, governance controls, and responsible engineering practices across every layer of our infrastructure and organization.
Security and privacy are built into our systems by design and by default.
1. Our Security Principles
We operate according to the following core principles:
Least privilege and need-to-know access
Encryption in transit and at rest
Secure Software Development Lifecycle (SSDLC)
Continuous monitoring and rapid incident response
Vendor and sub-processor due diligence
Data minimization and purpose limitation
Shared responsibility with our customers
2. Types of Data We Handle
We process limited categories of data necessary to operate our services.
Customer Content
Data uploaded, generated, or processed within Sitefy platforms by customers or their users.
Account & Billing Information
Contact information, billing details, and subscription data.
Service Metadata
Logs, telemetry, diagnostics, and system activity data necessary for performance, reliability, and security.
We collect only what is required and retain data only for defined operational or legal purposes.
3. Governance & Accountability
Executive Oversight
Security and privacy oversight exists at leadership level with defined accountability.
Policies
We maintain documented policies covering information security, access control, incident response, vendor risk management, acceptable use, and secure coding standards. Policies are reviewed periodically and updated as needed.
Training
All personnel complete security, privacy, and awareness training upon onboarding and at regular intervals.
4. Compliance & Global Alignment
Our security program is aligned with recognized international standards and privacy frameworks, including:
ISO/IEC 27001 principles (alignment; no implied certification)
NIST Cybersecurity Framework guidance
OWASP security best practices
GDPR and UK GDPR
CCPA/CPRA (United States)
LGPD (Brazil)
PIPEDA (Canada)
POPIA (South Africa)
Other applicable global privacy regulations
Where personal data is transferred across borders, we implement safeguards permitted under applicable laws.
5. Data Classification & Handling
We classify data into categories such as Public, Internal, Confidential, and Restricted.
Each category includes defined handling procedures for storage, access, transmission, and retention.
Sensitive data receives enhanced controls including stricter access and additional monitoring.
6. Encryption & Key Management
In Transit
All external communications are encrypted using TLS 1.2+ with modern cipher suites.
At Rest
Databases, object storage, file systems, and backups use industry-standard encryption such as AES-256 or equivalent.
Key Management
Encryption keys are managed through secure key management systems with controlled access, rotation practices, and separation of duties.
7. Access Controls & Identity Security
Role-Based Access Control (RBAC)
Just-in-time access for production environments
Mandatory multi-factor authentication (MFA) for privileged access
No shared administrative credentials
Logged and reviewable access activity
Single Sign-On (SSO) support is available where applicable.
8. Secure Development Lifecycle (SSDLC)
Security is integrated throughout product development.
Threat modeling during design
Code reviews for all changes
Static and dependency scanning
Secret detection
Dynamic testing for critical services
Segregated development, staging, and production environments
Formal change management processes
Vulnerabilities are prioritized and remediated using risk-based timelines.
9. Infrastructure & Network Security
Our infrastructure is hosted on reputable cloud providers offering physical security, redundant systems, and certified data center facilities.
We implement network segmentation, private subnets, web application firewalls (WAF), DDoS mitigation, hardened system images, and timely patch management.
Backups are encrypted and periodically tested for restoration capability.
10. Monitoring, Logging & Detection
We maintain centralized logging for authentication events, administrative activity, configuration changes, and system performance.
Security alerts and anomaly detection are monitored continuously.
Audit logs are retained for defined periods to support investigations and compliance.
11. Business Continuity & Disaster Recovery
We maintain documented Business Continuity and Disaster Recovery (BCP/DR) plans.
Redundancy across availability zones where supported
Periodic recovery testing
Risk-based recovery objectives (RTO/RPO)
Plans are reviewed and refined as systems evolve.
12. Incident Response
We maintain formal incident response procedures including triage, containment, eradication, recovery, and post-incident review.
If a data incident affecting you occurs, we will notify you without undue delay in accordance with applicable law and contractual obligations.
13. Vendor & Sub-Processor Management
Before onboarding vendors that may process customer data, we conduct security and privacy due diligence.
We implement contractual data protection commitments and transfer safeguards where required.
Critical vendors are reviewed periodically.
Information about sub-processors may be made available upon request where applicable.
14. Data Retention & Deletion
Retention schedules are tied to purpose and regulatory obligations.
When data is deleted, it is removed from active systems and subsequently from backups according to defined retention cycles.
Upon contract termination, customers may request data export prior to deletion, subject to agreement terms.
15. Shared Responsibility
Customers play an important role in security. We recommend enabling MFA and SSO, reviewing user permissions regularly, configuring retention settings appropriately, and keeping devices and browsers secure and updated.
16. AI & Model Safety (Where Applicable)
Where AI features are provided, Customer Content is processed solely to deliver the service.
We do not use Customer Content to train foundational models without explicit agreement.
Prompts, outputs, and intermediate data are protected using encryption and access controls similar to other Customer Content.
17. Children’s Data
Our services are not directed toward children where local laws restrict such processing.
We do not knowingly profile children for advertising or behavioral tracking.
18. Responsible Disclosure
We support responsible vulnerability disclosure.
If you identify a potential security issue, please contact:
Include the affected service, steps to reproduce, and potential impact. Please avoid actions that could disrupt services or access other users’ data.
We will acknowledge receipt and investigate verified issues.
19. Contact Information
Security inquiries: support@sitefy.co
Privacy inquiries: support@sitefy.co