Security
Welcome to Squid, a website analytics service provided by ScriptEngine, Inc. ("Squid," "we," "us," or "our").
This Security Policy outlines the technical and organizational measures we implement to safeguard information and the responsibilities of our users to help maintain a secure environment.
For enterprise customers, additional security terms and commitments are set forth in our Data Processing Addendum, available at https://asksquid.ai/dpa.
1. Data Protection and Encryption
We implement robust encryption to protect data throughout its lifecycle:
Data in Transit:
- TLS encryption for all data transmitted between users and our services
- HTTPS enforced across all web interfaces and APIs
- Encrypted connections to all third-party services
Data at Rest:
- AES-256 encryption for data stored in our databases
- Encrypted backups with secure key management
- Encryption of sensitive data fields including personal identifiers
2. Access Control and Authentication
Access to customer data is strictly controlled through multiple layers of security:
Personnel Access:
- Access limited to authorized personnel with legitimate business needs
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication (MFA) required for all administrative access
- Regular access reviews and immediate revocation upon role change or termination
Customer Account Security:
- Strong password requirements enforced
- Multi-factor authentication available for all accounts
- Session timeout and secure session management
- API key rotation and secure credential management
3. Infrastructure Security
Our infrastructure is designed with security as a foundational principle:
Network Security:
- Web Application Firewall (WAF) protecting against common attacks
- DDoS protection through Cloudflare
- Network segmentation and isolation of sensitive systems
- Intrusion detection and prevention measures
Platform Security:
- Regular security patches and updates applied promptly for critical vulnerabilities
- Automated vulnerability scanning and remediation
- Container security and image scanning
- Infrastructure as Code (IaC) with security controls
4. Security Monitoring and Incident Response
We maintain continuous security monitoring and have established incident response procedures:
Monitoring:
- Comprehensive logging and monitoring of security events
- Automated alerting for suspicious activities
- Regular log review and analysis
- Real-time threat detection and response
Incident Response:
- Documented incident response plan with defined roles and procedures
- Security breach notification within 72 hours of detection as required by applicable law
- Forensic investigation capabilities
- Post-incident analysis and remediation
For details on data breach notification procedures for enterprise customers, see our Data Processing Addendum.
5. Security Audits and Compliance
We regularly assess and validate our security posture:
Audits and Assessments:
- Periodic security assessments by qualified third-party experts
- Regular vulnerability assessments
- Internal security reviews on an ongoing basis
- Continuous compliance monitoring
Compliance Standards:
- GDPR (General Data Protection Regulation) security requirements
- CCPA (California Consumer Privacy Act) security standards
- Industry best practices and frameworks
- Commitment to continuous security improvement
6. Application Security
We follow secure development practices throughout our software lifecycle:
Development:
- Secure coding standards and training for all developers
- Code review and security testing before deployment
- Static and dynamic application security testing
- Dependency scanning and management
API Security:
- API authentication and authorization
- Rate limiting and throttling
- Input validation and sanitization
- Protection against injection attacks and other OWASP Top 10 vulnerabilities
7. Data Backup and Business Continuity
We maintain comprehensive backup and recovery capabilities:
Backup Procedures:
- Automated daily backups of all customer data
- Encrypted backup storage with geographic redundancy
- Regular backup testing and restoration procedures
- 30-day backup retention period
Business Continuity:
- Disaster recovery plan with defined recovery objectives
- Redundant infrastructure across multiple availability zones
- Regular disaster recovery testing
8. Third-Party Security
We carefully vet and monitor all third-party service providers:
Sub-Processor Management:
- Due diligence review of all sub-processors' security practices
- Data Processing Agreements (DPAs) with all sub-processors handling customer data
- Regular security assessments of critical sub-processors
- Complete list of sub-processors available at https://asksquid.ai/subprocessors
Vendor Security:
- Documented vendor management process
- Security requirements in all vendor contracts
- Ongoing monitoring of vendor security posture
9. Data Minimization and Retention
We collect and retain only the data necessary to provide our services:
Data Collection:
- Collection limited to data necessary for service functionality
- Pseudonymization and anonymization where feasible
- No storage of unnecessary personal identifiers
Data Retention:
- Data retained only as long as necessary for service provision or legal requirements
- Secure deletion procedures upon account termination
- Customer-configurable retention settings where applicable
10. Employee Security
Our personnel undergo security training and are bound by strict confidentiality obligations:
Training:
- Security awareness training for all employees
- Specialized training for personnel handling sensitive data
- Regular updates on emerging security threats
Confidentiality:
- Confidentiality agreements for all employees and contractors
- Background checks for personnel with access to sensitive systems
- Clear data handling policies and procedures
11. User Responsibilities
Customers and users play a critical role in maintaining security:
Account Security:
- Maintain confidentiality of account credentials
- Use strong, unique passwords
- Enable multi-factor authentication where available
- Report suspicious activity immediately
Configuration:
- Properly configure consent mechanisms before deploying Squid on websites
- Ensure compliance with applicable privacy laws in your jurisdiction
- Review and configure data retention settings appropriately
Reporting:
- Report any security concerns or vulnerabilities to info@asksquid.ai
- Participate in our responsible disclosure program
12. Security Vulnerability Reporting
We welcome reports of security vulnerabilities:
If you discover a security vulnerability, please report it to:
Email: info@asksquid.ai
We commit to:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 5 business days
- Work with you to understand and validate the issue
- Remediate confirmed vulnerabilities based on severity
- Keep you informed of our progress
Please do not publicly disclose vulnerabilities until we have had an opportunity to address them.
13. Changes to This Policy
We may update this Security Policy from time to time to reflect changes in our practices or for legal compliance. Changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically.
14. Contact Information
For questions about our security practices:
© 2025 ScriptEngine, Inc. (dba Squid, Inc.) · All rights reserved.