SGEN Trust and Security

⏱ Quick answer below · full page ≈ 2 min · skim the bold lead-ins to move faster.
In short. SGEN hosts your site on Google's edge network with HTTPS everywhere and encryption at rest. Your account data is isolated at the application layer, session-limited, and protected by password hashing plus optional multi-factor authentication. Internal staff operate on least-privilege access with operational logs. Customer data is backed up and covered by an incident-response procedure. Your own dashboard gives you per-user MFA, role-based team access, an audit log, and consent controls. To report a vulnerability write to security@sgen.com — acknowledged within 3 business days. GDPR and CCPA compliance is documented in the Privacy Policy and DPA.

That's the gist — everything below is the same idea in depth.

On this page: Hosting and isolation · Encryption · Access control · Application security · Customer security features · Reporting a security issue


Last updated: 2026-06-11

This page describes the security and operational practices SGEN applies to the platform. It is a companion to our Privacy Policy, Data Processing Addendum, and Sub-Processors pages.

The existing /security page describes platform security features for end customers (built-in defaults, no-plugin architecture). This page describes the security of the platform itself — the practices we apply as the operator.


Hosting and isolation

  • Hosting provider. SGEN serves customer-facing traffic through Google's edge network. ⚠ Confirm whether the underlying compute is Google Cloud Platform, App Engine, Cloud Run, or another configuration before publish.
  • Network controls. Production traffic is routed through the hosting provider's edge. Rate-limiting and abuse-protection capabilities provided by the platform are applied to public endpoints.
  • Customer isolation. Customer Content, accounts, and configuration are scoped per customer at the application layer. ⚠ Confirm whether tenancy is logical-only or includes infrastructure-level isolation.

Encryption

  • In transit. All customer-facing endpoints are served over HTTPS with TLS. HTTP requests are redirected to HTTPS.
  • At rest. Primary data stores use the encryption-at-rest capabilities provided by the underlying hosting platform.

Access control

  • Least privilege. Internal access to production systems is granted on a need-to-know basis.
  • Multi-factor authentication.Where required for production access; confirm scope with platform-eng before publish.
  • Operational logs. Administrative actions on production systems are recorded by the operational tooling we use. ⚠ Confirm log-retention windows before publish.

Application security

  • Dependency monitoring. We track production dependencies for known vulnerabilities and apply patches as warranted.
  • Change review.Production changes pass through internal review; confirm whether code review is mandatory across all merge paths before publish.
  • Customer authentication. Customer accounts use industry-standard password hashing. Multi-factor authentication is available where the customer enables it.
  • Session management. Sessions are time-limited and bound to the originating client.

Operational practices

  • Backups. Customer data is backed up. ⚠ Confirm backup schedule and restore-drill cadence with platform-eng before publish; remove any line that overstates the current practice.
  • Incident response. We follow internal procedures for detection, containment, communication, and post-incident review when production issues affect customer data or availability.
  • Personnel. Staff with access to production systems are bound by confidentiality obligations under their employment or contractor agreements. ⚠ Confirm whether security-awareness training is currently in place before adding it back.

Customer security features

End customers also have controls in their own dashboard:

  • per-user account security (passwords, multi-factor authentication)
  • role-based access for team members
  • audit log of administrative actions on the customer's account
  • customer-managed tracking-consent controls for sites the customer builds

A summary of the customer-facing security features is on the Security page.

Reporting a security issue

If you believe you have found a vulnerability in the SGEN platform, write to security@sgen.com with:

  • a description of the issue
  • steps to reproduce
  • the affected URL or endpoint
  • your contact information

We acknowledge reports within 3 business days. Substantive response and remediation timelines depend on the severity and complexity of the issue. We work with you on a coordinated disclosure path.

We do not currently operate a public bug-bounty program. We thank researchers who report responsibly.

Compliance posture

  • GDPR. Our Privacy Policy and Data Processing Addendum describe how we comply with the GDPR for EU and UK Data Subjects.
  • CCPA. Our Privacy Policy describes the rights of California Consumers and how to exercise them.
  • Audit reports. We do not currently hold a SOC 2 or ISO 27001 report. We document our controls on this page and through the DPA. If you require a formal audit report, write to legal@sgen.com to discuss.

Contact

Security questions: security@sgen.com. Privacy questions: legal@sgen.com.