Trust & Security
Built for enterprise buyer due diligence.
RANKTYPE LLC runs paid media for brands that take data governance seriously. This page describes the controls we operate to protect client information, the governance practices we apply across our vendor stack, and the commitments we make when handling a confirmed incident.
Last reviewed: April 18, 2026
Site uptime target
0%
Public marketing site availability, measured monthly.
Recovery objectives
0h/0h
RTO 24h · RPO 24h. Daily backups of Site and business systems.
Breach notification
< 72h
Supervisory-authority notification for confirmed personal-data breaches, where required by GDPR Art. 33.
Core controls
The practices below apply to RANKTYPE’s own systems — the public site, our inquiry pipeline, and the business tooling we use to run engagements. Client-owned systems (ad accounts, analytics properties, CMS platforms) operate under the shared-responsibility section below.
Encryption in transit
All traffic to ranktype.com is served over HTTPS with TLS 1.2+ and automatic HSTS. Certificates are managed by our hosting provider and renewed automatically.
Encryption at rest
Data stored by our hosting and vendor stack is encrypted at rest using AES-256 or equivalent, per each provider's platform defaults.
Access controls
Production systems follow least-privilege access. Administrative accounts require strong passwords and multi-factor authentication. Access is reviewed on a quarterly cadence and whenever roles change.
Identity & SSO
Internal tooling is consolidated behind a primary identity provider where supported, with hardware-backed MFA for privileged roles.
Data minimization
We collect the minimum information needed to respond to inquiries and run engagements. Campaign analytics are evaluated in aggregate; personally identifiable data is avoided where it is not required.
Vendor review
Every subprocessor is reviewed against a standard checklist covering data location, DPA availability, SOC 2 / ISO 27001 posture, and incident-response commitments before onboarding.
Incident response
Confirmed personal-data breaches are triaged against GDPR Art. 33. We notify the relevant supervisory authority within 72 hours where required, and notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
Infrastructure
The public website is hosted in the United States on managed infrastructure. DNS is delegated to a Tier-1 provider. We do not operate unmanaged servers for client-facing services.
Secure development lifecycle
Changes to the RANKTYPE site and internal tooling flow through a reviewed, automated pipeline. No code reaches production from an unmanaged personal device.
Peer-reviewed change control
Production changes require a pull request, at least one reviewer, and a passing CI run. Direct pushes to the main branch are disabled.
Automated dependency updates
Renovate tracks upstream releases and proposes upgrades with changelog context. Security advisories are prioritized for same-week review.
CI quality gates
Every pull request runs type checks, linting, and a production build. Failures block merge.
Secrets scanning
Repositories are scanned for leaked credentials on every push, and provider-side secret-scanning is enabled for the hosting platform.
Logging, monitoring & backups
We rely on managed services for day-to-day logging, alerting, and backup. We do not operate our own SIEM; instead we tune the detection and retention features offered by our hosting and identity providers.
Centralized logs
Hosting, DNS, and critical SaaS application logs are centralized with the respective providers. Authentication, administrative, and error logs are retained for at least 90 days.
Authentication alerts
Unusual sign-in events (new device, impossible travel, privilege escalation) trigger alerts to the account owner. Suspicious sessions are terminated and reviewed.
Endpoint protection
Company workstations run up-to-date operating systems with disk encryption, screen-lock enforcement, and endpoint detection and response (EDR) tooling from a reputable vendor.
Backups
Production data for the Site and business systems is backed up on a daily cadence by the hosting provider, with a Recovery Time Objective (RTO) of 24 hours and a Recovery Point Objective (RPO) of 24 hours.
People & access hygiene
Most security incidents at small firms trace back to people and credentials rather than code. These are the practices we apply to every person who touches production or client systems.
- Background checks
- All personnel with access to production systems or client data complete a pre-engagement background check appropriate to the jurisdiction in which they are engaged.
- Annual security training
- Everyone with system access completes security-awareness training on hire and at least annually thereafter. Training covers phishing, credential hygiene, data handling, and incident reporting.
- Offboarding within 24 hours
- When a role ends, accounts, credentials, device access, and shared-secret rotations are completed within one business day. Offboarding is tracked on a checklist and logged.
- Quarterly access reviews
- Privileged access to hosting, DNS, email, and business systems is reviewed at least quarterly. Any access that is no longer justified by a current responsibility is removed.
- Device management
- Workstations used to access production or client systems are enrolled in mobile device management (MDM), with disk encryption, automatic updates, and remote wipe enabled.
Incident history
We maintain a running record of confirmed security incidents affecting the RANKTYPE Site or our handling of client inquiry data. This section is updated at least quarterly, and immediately after any confirmed incident as required by law and by our client agreements.
No reportable security incidents in the past 12 months.
Last reviewed April 18, 2026. “Reportable” means a confirmed unauthorized access to, or unauthorized disclosure of, personal data processed by RANKTYPE LLC that meets the notification thresholds under applicable law (GDPR Art. 33, U.S. state breach-notification statutes) or under a client’s Data Processing Agreement with us.
If an incident occurs, we will notify impacted clients without undue delay and publish a post-incident summary here after remediation.
Vulnerability disclosure
If you believe you have found a security vulnerability affecting https://ranktype.com, please report it to us privately so we can fix it before it is disclosed publicly. We read every report.
How to report
Email security@ranktype.com. Please include a clear description, reproduction steps, the URL or system affected, and any proof-of-concept material. Encrypted reports are welcome; request our PGP fingerprint in your first message and we will reply with it.
Our machine-readable contact record is published at /.well-known/security.txt per RFC 9116.
What to expect
- Acknowledgement within 3 business days.
- Triage and severity call within 10 business days.
- Coordinated public disclosure timing agreed with the reporter, once a fix is available.
- Credit in any public write-up, if the reporter wishes.
Safe-harbor statement
Good-faith security research on https://ranktype.com, conducted in accordance with this policy, will not be pursued under the Computer Fraud and Abuse Act or equivalent laws, nor treated as a breach of our Terms of Service.
Please: avoid privacy violations, data destruction, service degradation, and testing of third-party services that we do not operate. Use only your own accounts or test accounts we provide.
Out of scope: denial-of-service, social engineering of employees or clients, physical attacks, spam or volumetric testing, findings on third-party services (report those to the owning vendor).
Certifications, questionnaires & audit rights
We publish our current posture honestly rather than gesturing at “enterprise-grade” language we cannot substantiate. The box below is the full, current answer; details follow.
Current
Not SOC 2 or ISO 27001 certified
RANKTYPE LLC is a small, privately held Wyoming LLC. We do not currently hold a SOC 2 Type II or ISO 27001 certification in our own name.
On request (NDA)
CAIQ-Lite self-assessment
We maintain a completed Cloud Security Alliance CAIQ-Lite self-assessment and a standard security questionnaire response pack, available under NDA for active vendor-review processes.
Roadmap
SOC 2 Type II in progress
A SOC 2 Type II attestation is on our roadmap. No firm public date has been committed; we will update this page when an observation window begins.
Underlying provider certifications
The infrastructure providers we build on hold their own certifications (SOC 2, ISO 27001, ISO 27701, PCI DSS, HIPAA where applicable). Their attestation reports are available through their respective trust portals. Where a certification is required for a RANKTYPE engagement, we can reference the relevant provider attestation and propose compensating controls on our side.
Customer audit rights
Where a signed Master Services Agreement and Data Processing Agreement with RANKTYPE LLC provides for audit rights, those rights govern. In the ordinary course, clients exercise audit rights by requesting our CAIQ-Lite response, subprocessor list, and DPA package under NDA; on-site audits are scoped case-by-case and coordinated via privacy@ranktype.com.
Requesting documentation
Our standard Data Processing Agreement, subprocessor list, and security-questionnaire responses are available on request. If you are a current or prospective client conducting vendor review, email privacy@ranktype.com and we will route the request to the appropriate team.
Legal & regulatory frameworks
This section summarizes the frameworks against which we benchmark our practices. It is not legal advice, and the operative terms in any given engagement live in the signed contract with that client.
- GDPR & UK GDPR
- Where we act as a processor on behalf of a client, we sign a Data Processing Agreement incorporating the EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum. A Transfer Impact Assessment (TIA) is maintained for onward transfers to the United States.
- CCPA / CPRA (California)
- When processing personal information about California residents on behalf of a client, we operate as a "service provider" within the meaning of Cal. Civ. Code 1798.140(ag). We do not sell or share personal information in the CCPA sense.
- NY SHIELD Act
- We operate a written information-security program reasonably designed to protect the security, confidentiality, and integrity of private information covered by New York General Business Law 899-bb, including the administrative, technical, and physical safeguards described on this page.
- Massachusetts 201 CMR 17.00
- Where personal information of Massachusetts residents is handled, our practices align with the administrative, technical, and physical safeguards required by 201 CMR 17.00, including encryption of portable devices and transmitted records.
- State breach-notification statutes
- Confirmed breaches affecting U.S. residents are assessed against each applicable state breach-notification statute and the relevant state attorney-general is notified where required by law.
Changelog
Material changes to this page, with the most recent first. The Last reviewed date at the top of the page is refreshed whenever we re-attest the content, even if no new entry is added here.
April 18, 2026
Expanded Trust & Security page: added metrics, Secure SDLC, logging and backups, people and access hygiene, shared responsibility, vulnerability-disclosure program with safe-harbor, CAIQ-Lite / SOC 2 roadmap, and U.S. state framework references. Published /.well-known/security.txt per RFC 9116.
January 1, 2026
Initial publication: encryption, access controls, vendor review, incident response, and documentation request path.