The short version
- TLS 1.2+ everywhere, with HSTS on every marketing and product domain.
- AES-256 at rest on managed Postgres and Redis. Bcrypt password hashes — no plaintext passwords stored.
- No AI training on your data. We use Anthropic and OpenAI under enterprise terms that prohibit training on customer prompts or outputs.
- Subprocessors listed publicly on our privacy page. We notify customers of changes.
- SOC 2 is in scoping, Type I target in 2027. We're not pretending otherwise.
- Vulnerabilities reported to security@killerwebsite.ai get acknowledged within 48 hours.
Data protection in detail
Encryption
All traffic to Website Killer is forced over HTTPS with TLS 1.2 or higher. We enable HSTS with a one-year max-age on apex and www. Data at rest in our managed Postgres and Redis is encrypted with AES-256. Stored secrets — API keys, OAuth tokens — are encrypted in the database with envelope encryption keys held in a dedicated KMS.
Authentication
Passwords are hashed with bcrypt at cost factor 12. Google OAuth is supported. Active sessions can be revoked from account settings. Enterprise customers get SAML 2.0 SSO, SCIM provisioning, and configurable session lifetimes.
Access controls
Production database access is restricted to a small number of named engineers under least-privilege roles. Every administrative action is logged. Production deploys require two-factor approval. Customer data is never copied to engineer laptops.
AI model providers
When you submit a prompt, your prompt and the generated output are sent to one or more of: Anthropic (Claude family) and OpenAI (GPT family). Both are governed by enterprise / API terms that prohibit training on customer data. Both retain prompts for short windows (typically 30 days) for abuse prevention, then delete.
Backups & retention
Postgres is backed up continuously with point-in-time recovery (35-day window). Backups are encrypted with separate keys. When a customer account is deleted, project data is removed within 30 days and purged from all backups within 90 days.
Network & infrastructure
All traffic enters via a managed edge proxy with rate-limiting and DDoS protection. Production runs in a private VPC. SSH access requires SSO + hardware-key 2FA. Custom domains terminate TLS at our edge with certificates from Let's Encrypt.
Who processes your data
Subprocessors
We share data with the infrastructure subprocessors strictly required to operate the service. The full, current list lives on our privacy page:
View subprocessors →We notify customers of material changes to this list with at least 30 days' advance notice.
Honest, dated
Compliance roadmap
- GDPR / UK GDPR / CCPA / CPRA — operational today. Data-subject requests handled within statutory timelines via support@killerwebsite.ai.
- DPA (Data Processing Addendum) — standard template available for any customer on request, sub-processor list incorporated by reference.
- SOC 2 Type I — in scoping. Target audit window 2027.
- SOC 2 Type II — twelve months after Type I.
- ISO 27001 — not yet in scope. Reassessed quarterly based on enterprise demand.
Report a security issue
Vulnerability disclosure
Email security@killerwebsite.ai with reproduction steps. We acknowledge within 48 hours and prioritize fixes in line with severity:
- Critical — same-day patch path
- High — within 7 days
- Medium — within 30 days
- Low — next regular release
We coordinate disclosure with the reporter and credit researchers in our changelog when they opt in. PGP public key available on request. Out-of-scope: missing security headers without an exploit chain, theoretical CSRF on unauthenticated endpoints, self-XSS, denial-of-service via brute force.
FAQ
Frequently asked questions
Does Website Killer have SOC 2?
Not yet. We're a 2025-founded company and we're being honest about it: SOC 2 is in scoping now, with a target Type I audit in 2027 and Type II 12 months after. In the meantime we operate under the same control families SOC 2 audits against — access controls, encryption, logging, change management — but they aren't third-party-attested.
Is customer data encrypted?
Yes. In transit via TLS 1.2+ (HTTPS everywhere, HSTS enabled). At rest via AES-256 on managed Postgres and managed Redis. Authentication secrets are hashed with bcrypt; we never store plaintext passwords. Stripe handles all card data under their PCI-DSS Level 1 certification.
Does Website Killer train AI models on my prompts or generated sites?
No. We use Anthropic and OpenAI under enterprise terms that explicitly prohibit training on our customer data. Your prompts and generated outputs are processed for inference only and retained by those providers for short abuse-prevention windows (typically 30 days) before deletion.
Are you GDPR and CCPA compliant?
Yes. We've published a privacy policy that covers GDPR (EU/UK/CH) and CCPA/CPRA (California) rights — access, rectification, erasure, portability, restriction, objection, withdrawal of consent, and complaints. Email support@killerwebsite.ai with 'Privacy request' to exercise any right; we respond within 30 days.
How can I report a security vulnerability?
Email security@killerwebsite.ai with reproduction steps. We acknowledge within 48 hours, fix in line with severity (critical: same-day patch; high: 7 days; medium: 30 days; low: next release), and coordinate disclosure with you. PGP public key available on request.
Where is customer data hosted?
Primary hosting is in the United States with EU-region options for paid customers on request. AI inference is routed to Anthropic and OpenAI US regions. International transfers are protected by Standard Contractual Clauses where required.
Do you offer SSO/SAML or audit logs?
Both are on the Enterprise plan. SAML 2.0, SCIM provisioning, and CSV-exportable audit logs covering authentication, project changes, billing events, and admin actions. Contact enterprise@killerwebsite.ai to scope an evaluation.