Guides → SGEN data security and privacy explained

SGEN data security and privacy explained

How to think about data security and privacy with SGEN

Customers ask two related questions: how does SGEN handle the data I put into the platform, and how does SGEN help me meet my obligations to my own visitors? This page answers both, names the controls available to you, and outlines the shared-responsibility model.

The plain version: SGEN encrypts your data, restricts access carefully, and gives you tools to export, delete, and respect your visitors' privacy choices. Your role is to use those tools — enable encryption on your custom integrations, configure visitor consent, export and delete on request, and document your data practices for your own customers.

This guide also covers what is and is not in scope. SGEN handles platform-level security; you handle site-level practices like content correctness, who you grant admin access to, and how you communicate privacy choices to visitors.

What is this for?

Customers ask several security and privacy questions:

  • Is my data encrypted? At rest and in transit?
  • Who can access my data? Just me? My team? Anyone at SGEN?
  • What happens to my data when I delete content or close my account? Is it really gone?
  • Can I export my data? Get a complete copy?
  • How does SGEN handle visitor data? GDPR, CCPA, and similar regulations.
  • Where is my data stored? Geographic locations matter for some compliance regimes.
  • Are there security certifications? SOC, ISO, others.

The answers shape what you can promise your own customers. A retailer with EU visitors needs different commitments than an internal newsletter site. Reading this page once gives you the source material for your own privacy policy and your team's data-handling practices.

Security is a shared responsibility. The platform handles encryption, access controls, certifications, and infrastructure-level security. You handle content correctness, team access management, integration choices, and visitor communication. Both sides matter; neither side covers the other.

Good use cases

A retailer with EU visitors building a GDPR-compliant privacy policy

Reading this page surfaces the data-handling facts you need for your policy.

A company evaluating SGEN against alternatives where data handling is a factor

Security and privacy commitments are part of the comparison.

An agency answering a client's security questionnaire

Many of the questions have answers on this page or in the platform's security documentation.

A team responding to a visitor's data-access request

The page lists the steps to fulfil a Subject Access Request (SAR) using the platform's export tools.

A team responding to a visitor's data-deletion request

Same — the platform's deletion tools let you fulfil these efficiently.

A compliance officer documenting your organization's data-flow map

SGEN is one of your data processors; this page tells you what it does and how.

A customer-success function explaining "how we protect your data" to prospects

Customer-facing answers about data handling.

A product team launching a new feature that touches personal data

Understanding the data-handling defaults helps you build privacy in from the start.

What NOT to use this for

A replacement for reading the platform's privacy policy

The platform publishes a privacy policy and a data processing addendum. This guide summarizes; the formal documents govern.

A legal opinion

Security and privacy practices intersect with legal obligations that vary by jurisdiction. Consult counsel for compliance-critical decisions.

A guarantee that no breach will ever happen

Strong security practices reduce breach probability dramatically but cannot eliminate it. Plan for incident response alongside prevention.

A workaround for your own data-handling responsibilities

The platform handles platform-side security. Your team handles team-side practices.

Permission to skip vendor due diligence

Reading this page is part of due diligence; reviewing the formal documents and security certifications is the rest.

A substitute for visitor consent management on your site

The platform gives you tools; you decide your consent strategy and communicate it to visitors.

How this connects to other features

Account roles and permissions

Access to your data is governed by role. The multi-site permissions guide covers how to scope team access correctly.

Backups

Backups are encrypted with the same protections as live data.

Audit log

Records every admin action. Useful for "who accessed what when" investigations.

Form submissions

Visitor data captured in forms is stored with the same encryption protections.

Media library

Uploaded media is encrypted at rest.

Account closing

Account closure follows the platform's deletion policy; data deletion is part of the process.

API keys

API keys give access to your data programmatically. Treat them like passwords — store them in a secret manager, rotate them periodically.

SSO

Account-level SSO (where available) shifts sign-in security to your identity provider.

Before you start

A short checklist:

  • Read the platform's privacy policy and data processing addendum. They are the formal documents; this guide summarizes.
  • Inventory what personal data you collect on your site. Names, emails, addresses, phone numbers, sensitive categories — list them so you know your obligations.
  • Document your purpose for each data category. Most privacy regimes require you to state why you collect each category.
  • Configure visitor consent if you collect personal data. Cookie consent, opt-in checkboxes, age verification — whichever applies.
  • Set up your data-access and deletion request process. Who handles requests on your team? What is the response timeline?
  • Train your team on basic data-handling practices. Common-sense practices like not sharing admin passwords, not exporting data to personal devices.
  • Pick a secret manager. API keys and integration secrets need a place to live that is not "in someone's email."

Where to go

The relevant locations:

  • Account → Privacy Settings. Account-level privacy configurations.
  • Site → Settings → Privacy. Per-site privacy settings including cookie consent.
  • Site → Settings → Data → Export. Export your site's data.
  • Site → Settings → Data → Deletion. Delete specific data on request.
  • Account → Security. Account-level security settings (SSO, password policies, session length).
  • Platform documentation site → Privacy Policy. Formal privacy policy.
  • Platform documentation site → Security and Compliance. Security certifications, audit reports, more.

Steps — Set up data security and privacy correctly

1. Configure visitor consent

If you serve visitors from regions with consent requirements (EU, parts of the US, others), enable the cookie consent banner at Site → Settings → Privacy → Cookie consent. Pick opt-in or opt-out based on your regulatory regime.

The consent banner shows to first-time visitors. Their choice is remembered for subsequent visits. Visitors can change their choice via a link in your privacy policy or site footer.

2. Write a privacy policy

Most privacy regimes require a published privacy policy. The policy should cover:

  • What personal data you collect.
  • Why you collect it (purpose).
  • How long you keep it (retention).
  • Who you share it with (processors, including SGEN itself).
  • The rights visitors have (access, deletion, correction).
  • How to contact you about privacy.

Link the policy in your site footer and on every page that collects data (forms, sign-ups, checkout).

3. Set your data retention period

At Site → Settings → Privacy → Data retention period, pick how long form submissions and visitor analytics are kept. Common choices:

  • 30 days for sites that collect transient data (e.g., contact forms where the response is the entire purpose).
  • 90 days as a default balanced retention.
  • 1 year for sites that need longer history for legitimate business reasons.
  • Indefinite for sites with no retention obligations — use carefully.

Shorter retention reduces your obligations under most regimes. Pick the shortest period that meets your business needs.

4. Train your team on data handling

A 30-minute team training covers the basics:

  • Do not share admin passwords.
  • Do not export data to personal devices.
  • Do not paste personal data into unrelated systems.
  • Report any suspected security issue immediately.
  • Use the audit log to verify your own work — every action you take leaves a record.

The training is foundational. Anyone with admin access should have done it.

5. Set up data-access and deletion request handling

Visitors have rights to access and delete their data under most regimes. Set up a process to fulfil requests:

  • A designated email or form for requests.
  • A team member responsible for handling requests within the regulation's required timeline (typically one month for GDPR).
  • A documented procedure for using the platform's export and deletion tools to fulfil requests.

Test the procedure once before you need it. A practice run surfaces gaps.

6. Manage API keys carefully

If your site uses API keys for integrations:

  • Store keys in a secret manager, not in code or email.
  • Rotate keys periodically (every 6-12 months).
  • Revoke keys when no longer needed.
  • Use the most restrictive key scope that still works.
  • Review your active API keys quarterly via Site → Settings → API → Keys.

API key handling is one of the most common preventable security issues. Treat the practice seriously.

7. Configure SSO if available

If your account plan includes SSO, enable it at Account → Security → SSO. SSO shifts sign-in security to your identity provider (the company that handles "log in with Google" or "log in with our internal SSO"). This usually improves overall security because the identity provider handles MFA, session policies, and password requirements centrally.

Test SSO with one team member before rolling out to everyone.

8. Review the audit log periodically

Open Account → Audit Log monthly. Look for:

  • Unexpected admin actions.
  • Logins from unusual locations or unusual times.
  • Changes to permissions or roles you do not remember authorizing.
  • Failed sign-in attempts (could indicate password attacks).

The audit log is your security record. Reading it periodically catches issues early.

9. Plan for incident response

If a security incident affects you — your account, your data, your visitors — have a plan ready:

  • Who on your team coordinates incident response.
  • How you communicate to affected visitors.
  • How you communicate to regulators (if applicable).
  • How you preserve evidence for any investigation.
  • How you recover and resume normal operations.

The plan does not need to be elaborate. A one-page outline is better than nothing and far better than improvising under stress.

What success looks like

Success looks like

A team handling security and privacy well feels like: For a small operator: read the privacy policy, enable consent if you have EU visitors, pick a sensible retention period, document your data-handling process. Done in a day. For a customer-facing business with personal data: add the request-handling procedure and incident response plan. A few days of work; pays off the first time you need it. For a compliance-regulated business: the standard practices plus your specific regulatory framework. Work with your compliance officer to map the framework to platform features. For an agency: each client site may have different requirements. Maintain a per-client privacy notes file alongside the client engagement notes.

  • The privacy policy is current and visible. Visitors can find it on every page.
  • Cookie consent works correctly. Visitors who decline are not tracked.
  • Data retention is set to a sensible period. Old data does not linger past its purpose.
  • API keys are in a secret manager. No key has been leaked in chat, code, or email.
  • Team members know what to do if they receive a data-access request. The process is documented and tested.
  • The audit log shows expected activity. Unusual entries are investigated.
  • Quarterly reviews of permissions, API keys, and integrations surface anything stale.

What to do if it does not work

Less-obvious cases:

A visitor reports they cannot find the consent banner

Confirm the consent banner is enabled at Site → Settings → Privacy. Check the banner displays in an incognito browser (existing visitors who already chose may not see it again).

An export is taking longer than expected

Large sites with extensive history can take several minutes. The export job runs in the background and emails you a download link when complete.

A data-access request includes data that is not in the platform

Personal data your business holds may live in multiple systems. SGEN data is one source; CRM, email systems, and physical records may have others. Fulfil from all sources for completeness.

A team member's audit log entry looks wrong

Click the entry for detail. The detail view shows the IP address, user agent, and action. If still unclear, contact the team member directly — most discrepancies have a simple explanation.

An API key was accidentally exposed

Revoke it immediately via Site → Settings → API → Keys. Create a new key. Update your integrations with the new key. Note the incident in your security log.

A visitor reports data they thought was deleted is still showing

Backups retain previous versions for the retention window. The visitor's data is removed from live storage; backups roll off naturally. If the visitor requires backup-level deletion, contact support.

You receive a security advisory from the platform

Read promptly. Apply any recommended actions (rotating keys, reviewing permissions, etc.). Some advisories are informational; others require action.

A compliance audit asks for evidence of security controls

Pull the relevant platform documentation, your audit log exports, and your own internal policies. The combination is usually sufficient for most audits.

Worked example — Acme Coffee responds to a SAR

A visitor emailed Acme Coffee asking for a copy of all data Acme held about them. The team's response, completed within seven days:

  • Confirmed the request was genuine. Replied to the visitor's email asking them to confirm a piece of identifying information.
  • Documented the request in the team's request log. Date received, visitor identifier, response deadline.
  • Used the platform's export tool to pull form submission history. Filtered to the visitor's email.
  • Pulled additional data from the team's CRM. Acme used a separate CRM for sales correspondence; that data was relevant to the request.
  • Compiled the results into a single PDF. Two sections — SGEN platform data and CRM data — with a brief cover note.
  • Sent the PDF to the visitor via the team's standard secure-delivery method. Confirmed receipt.
  • Updated the request log. Date completed, files sent, any follow-up notes.

Total team time: about an hour. The platform's export tool handled the bulk of the work; the CRM lookup added a few minutes. The request log gives the team a record for compliance purposes.

Worked example — Agency handles a client's GDPR readiness

Acme Studio agency had a client launching a campaign across Europe. The client needed to be GDPR-ready before launch. The agency's checklist:

  • Reviewed the client's data inventory. What forms, what cookies, what tracking. Documented.
  • Configured the consent banner. Opt-in mode; English with planned translations.
  • Wrote a privacy policy for the client. Custom to the client's actual data practices, not a template.
  • Linked the policy in the footer of every page. Plus a separate banner on signup pages.
  • Set the data retention to 90 days. Matched the client's business needs.
  • Documented the request-handling procedure. Email address, response timeline, team members.
  • Briefed the client. Walked them through the consent banner, the policy, the request handling.
  • Tested with an incognito browser. Confirmed the consent banner appeared and recorded the choice correctly.

The campaign launched without privacy issues. The client's GDPR readiness review the following month passed without findings.

Notes on the data security model

A few details worth knowing:

Data is encrypted at rest and in transit. The encryption is automatic; you do not configure it. Your data is unreadable to anyone without the appropriate keys.

Access is role-based. Only people you grant access can see your data. The platform's internal staff access is restricted, audited, and limited to operational necessity.

Data is stored in specific geographies. The platform's data storage locations are documented in the privacy policy. Some plan tiers offer region-specific storage for jurisdictional requirements.

Backups are encrypted with the same protections. Restoring from backup respects the same access controls as live data.

Deletion is a process, not an event. Deleted data is removed from live storage immediately. Backups containing the deleted data roll off according to retention policies. Full deletion completes when all backups containing the data have rolled off.

The platform is not your only data processor. Email providers, payment processors, and other integrations are each separate data processors. Your privacy policy and data-flow map should cover all of them.

Security improvements happen continuously. The platform team makes ongoing security improvements. Major changes appear in the changelog; routine improvements happen quietly.

The platform participates in regular security audits. Independent security firms periodically review the platform's practices. Audit findings drive ongoing improvement.

Common questions

Is my data encrypted? Yes, both at rest (when stored) and in transit (when moving between your browser and the platform, or between the platform and integrations).

Who can access my data inside SGEN? A small set of platform staff with operational responsibilities, with audited access. Visitor data, content, and account details are not accessible to general staff.

Can I delete my data? Yes. Per-record deletion via the admin; full account deletion on request.

Can I export my data? Yes. Site-level export gives you a copy of pages, content, form submissions, and media. Initiated via Site → Settings → Data → Export.

What happens when I close my account? Your data is scheduled for deletion. The deletion follows the platform's documented timeline — typically immediate removal from live storage, with backup rolloff completing within the standard retention window.

Does SGEN comply with GDPR? The platform is designed to support customer GDPR compliance. The platform itself is one processor; the customer remains responsible for determining the purpose of data processing. The platform's Data Processing Addendum covers the processor obligations.

Does SGEN comply with CCPA? Similar to GDPR — the platform supports customer CCPA compliance. Customer is the business; platform is the service provider.

Does SGEN have security certifications? Security certifications are listed on the platform's security and compliance page. Specific certifications depend on platform maturity and plan tier.

Where is my data stored geographically? Documented in the privacy policy. Some plan tiers offer region-specific storage.

Can I get a copy of the platform's audit reports? For most reports, yes. Some are available under NDA; contact your account contact.

What if I receive a subpoena for customer data? The platform's policies govern law enforcement requests. Customers are usually notified unless legally prohibited. Contact the platform's legal team via support if you receive a subpoena affecting your platform data.

Can I bring my own encryption keys? Bring-your-own-key (BYOK) support depends on plan tier and feature roadmap. Check the platform's security documentation for current options.

How does the platform handle a security incident affecting my account? The platform's incident response includes notifying affected customers, helping investigate impact, and supporting your own incident response. Contact your account contact if you suspect an account-level issue.

Do you have a bug bounty program? The platform may operate a bug bounty for responsible disclosure. Check the security and compliance documentation.

Related reading

Security and privacy are partnerships. The platform handles its half; your team handles yours. The combination keeps your data safe and your visitors' trust intact. Read this page once, set up the controls, and revisit quarterly as conditions change.

How SGEN handles platform updates — security improvements ship continuously.

SGEN reliability and uptime explained — availability and incident response.

SGEN backups and disaster recovery — encrypted, retained, restorable.

SGEN site performance explained — performance considerations.

On this page