Home / Policies / Security

Security Policy

Last updated: January 15, 2025 | Version 2.4.1

1. Overview

At Sitemap.xml, we treat security as a foundational pillar of our product, infrastructure, and company culture. This policy outlines how we collect, process, store, and protect your data, as well as our commitments to transparency, compliance, and responsible disclosure.

Our platform processes sensitive metadata, URL structures, and indexing signals for thousands of websites daily. We maintain rigorous engineering standards, continuous monitoring, and zero-trust architecture to ensure the integrity and confidentiality of your data.

2. Data Collection & Processing

We only collect data necessary to deliver our core services. This includes:

  • Site Metadata: URLs, page titles, meta descriptions, update frequencies, and priority values.
  • Usage Analytics: API request logs, indexing status, crawl errors, and performance metrics.
  • Account Data: Registration information, authentication credentials, and billing details (processed securely via PCI-DSS compliant providers).
  • System Logs: Infrastructure health, error tracking, and security event logs.
Note: We never sell, rent, or share your data with third parties for marketing purposes. All processing is strictly limited to service delivery and security operations.

3. Encryption & Data Protection

All data transmitted to and from our platform is encrypted using TLS 1.3 with strong cipher suites. Data at rest is encrypted using AES-256-GCM across all storage layers, including databases, backups, and file systems.

We implement:

  • End-to-end encryption for API keys and authentication tokens
  • Regular key rotation and secure key management via HSM-backed services
  • Automated backup encryption with geographic redundancy
  • Strict data retention policies with automated purging of obsolete records

4. Access Control & Authentication

Access to customer data and internal systems follows the principle of least privilege. All employee access is role-based, audited, and time-bound.

  • Multi-factor authentication (MFA) is mandatory for all internal accounts
  • Session tokens use short-lived JWTs with automatic invalidation
  • Administrative access requires hardware-backed security keys
  • Regular access reviews and automated de-provisioning for departed personnel

5. Vulnerability Disclosure & Incident Response

We maintain a responsible disclosure program for security researchers. If you discover a vulnerability, please report it immediately to security@sitemap.xml. We aim to acknowledge reports within 24 hours and provide status updates every 48 hours.

In the event of a security incident, our response protocol includes:

  • Immediate isolation and containment of affected systems
  • Forensic analysis and threat eradication
  • Transparent notification to affected customers within 72 hours
  • Post-incident review and remediation implementation

6. Compliance & Standards

Sitemap.xml adheres to globally recognized security and privacy frameworks:

  • GDPR & CCPA: Full compliance with data subject rights, including access, deletion, and portability.
  • SOC 2 Type II: Annual audits covering security, availability, and confidentiality.
  • ISO 27001: Certified information security management system.
  • PCI-DSS: Compliant payment processing for all billing operations.

7. Third-Party Services & Subprocessors

We carefully vet all third-party providers. Current infrastructure partners include AWS (compute & storage), Cloudflare (CDN & DDoS protection), and SendGrid (transactional email). All subprocessors sign strict data processing agreements (DPAs) and are bound by the same security standards we enforce internally.

We maintain an up-to-date subprocessor list and notify customers of material changes with opt-out rights where applicable.

8. Policy Updates

This security policy is reviewed quarterly and updated as needed to reflect technological advancements, regulatory changes, or operational improvements. Material changes will be communicated via email and in-app notifications at least 30 days before implementation.

9. Contact Us

For security inquiries, vulnerability reports, or compliance documentation requests, please reach out:

  • Security Team: security@sitemap.xml
  • Data Protection Officer: dpo@sitemap.xml
  • PGP Key: Download Public Key

We value transparency and are committed to building trust through secure, reliable, and open practices.