Searlo
Enterprise Security

Security You Can Trust

GDPR compliant, OWASP Top 10 aligned, end-to-end encrypted. SOC 2 Type II on our compliance roadmap. Your data security is our priority.

SOC 2 Type II

Planned — formal audit engagement not yet initiated

GDPR Compliant

Full European data protection compliance

OWASP Top 10

Application security standards followed and tested

Authentication & SSO

Supported Methods

  • Google OAuth 2.0 (only supported method)
  • JWT-based session tokens (HS256)

Enterprise SSO

SAML 2.0 and Okta/Azure AD integration available for enterprise accounts upon request. No additional cost for Google OAuth login.

Contact us at [email protected] for enterprise SSO setup.

Comprehensive Security Measures

End-to-End Encryption

All data is encrypted in transit using TLS 1.3 (HTTPS enforced, HSTS enabled). API keys are hashed and session tokens are signed JWTs; no passwords are stored (Google OAuth only). Host-level disk encryption is part of our infrastructure hardening.

API Key Security

Secure API key generation with role-based access controls. Support for key rotation, IP whitelisting, and usage monitoring.

Infrastructure Security

Hosted on a dedicated server (Contabo, EU-France) with Cloudflare in front for DDoS mitigation and CDN. Regular backups and incident response procedures in place.

Audit Logging

API access and administrative actions are logged. Access to logs is restricted to the operator via MFA-protected host access; logs are available for incident investigation on request.

Data Isolation

Strict tenant isolation ensures your data is never mixed with other customers. Each account operates in its own secure environment.

Business Continuity

Regular automated backups, incident response procedures, and Cloudflare-level availability for DNS and CDN. Uptime monitored continuously.

Our Privacy Commitments

We believe privacy is a fundamental right. Here's how we protect yours.

We never sell your data to third parties
Search query history retained no longer than 90 days
You can delete your search history at any time
Right to erasure (GDPR Article 17) supported
Data portability options available
Transparent data processing practices

Data Loss Prevention & Security Training

Data Loss Prevention

  • Search query history is retained for a maximum of 90 days, then automatically purged daily
  • Search result sets are cached transiently (6-hour TTL, 24-hour stale fallback), not retained long-term in the database
  • Submitter IP addresses are pseudonymized; query strings are stored linked to the submitting account only
  • Production data access is limited to the founding engineer via authenticated, MFA-protected sessions

Security Awareness

  • Annual security training covering phishing, secure coding, credential management, and incident response
  • Secure development lifecycle practices applied to all production deployments
  • MFA enforced on all cloud provider consoles, CI/CD pipelines, and DNS management
  • Dependency vulnerability scanning on every deployment

Data Processing & Storage

Infrastructure

All service data resides on a single dedicated server hosted by Contabo GmbH, Lauterbourg, France (EU). Cloudflare sits in front for CDN, DDoS mitigation, and DNS.

  • • Server: Contabo GmbH, Lauterbourg, France (EU)
  • • Database: Self-hosted MongoDB on same server
  • • Cache: Self-hosted Redis on same server
  • • CDN / DDoS: Cloudflare (EU PoPs)

Engineering and support is provided by the sole founder, located in Bangladesh. All production access is via authenticated, MFA-protected connections with full audit logging.

Data Retention

We follow strict data retention policies:

  • • API logs: 30 days
  • • Usage analytics: 90 days
  • • Billing records: As required by law
  • • Account data: Until deletion requested

Sub-processors

Third-party services that may process your data on our behalf.

VendorPurposeData ProcessedRegion
PaddlePayment processingBilling infoUnited Kingdom / EU
Contabo GmbHServer hosting (database, cache, app)All service dataEU (France)
CloudflareCDN, DDoS protection, DNS proxyRequest metadata, IPsEU PoPs / Global
PostHogProduct analyticsAnonymized usage eventsEU (Frankfurt)

Incident Response

In the unlikely event of a security incident, we follow a comprehensive response plan with immediate notification and remediation.

<1 hour
Detection
<4 hours
Assessment
<24 hours
Notification
<72 hours
Resolution

Questions about security?

For security disclosures, vendor questionnaires, or detailed security documentation, reach out directly:

[email protected]
Contact FormPrivacy Policy

Learn More

Privacy PolicyTerms of ServiceAPI DocumentationFAQPricingContact UsAbout UsStatus