Security & Compliance

Last updated: 2026-05-23

Writegarden is operated from the European Union. This page summarises the security and compliance posture of the platform. For Enterprise customers we share a more detailed posture document, including the current sub-processor register, under NDA on request.

1. Data residency

Customer data (account, product, generated content, connected-platform credentials, form submissions) is stored in the European Union. The marketing website is delivered via a global content-delivery network with edge caching of public, non-personal assets only. We do not store customer content or source data outside the EU in the ordinary course of business.

2. Encryption

  • In transit. All connections to writegarden.com, app.writegarden.com, cms.writegarden.com, and all internal APIs are served over TLS 1.2 or higher. HTTP Strict Transport Security is enabled.
  • At rest. Account passwords are stored hashed with a modern key-derivation function (Argon2 / bcrypt). Connected-platform credentials (CMS OAuth tokens, Search Console refresh tokens, webhook secrets) are encrypted at rest with envelope encryption. Database storage volumes and backup volumes are encrypted at the storage layer.

3. Access control

Inside the Writegarden product, customers control access through role-based permissions (admin, editor, viewer) scoped to the organisation → company → site hierarchy. On Enterprise, SAML single sign-on and SCIM provisioning are available as part of onboarding.

Internal access by Writegarden personnel follows the principle of least privilege: production access is restricted to a named subset of operators, requires multi-factor authentication, and is logged. We do not access customer content for support purposes without prior request from the customer.

4. Tenancy isolation

Writegarden is multi-tenant by design. Customer data is logically isolated at the database level on the standard plan. On Enterprise, dedicated database schemas or dedicated instances are available for tenancy-sensitive engagements.

5. Sub-processors

We use a small set of vetted sub-processors to operate the Service. Each is bound by a Data Processing Agreement and limited to processing data only for the purposes of providing the Service. The current operational sub-processors include:

  • Vercel Inc. — marketing-site hosting and delivery.
  • Hetzner Online GmbH — EU-based virtual-private-server hosting for the content-management and workflow components of the platform.
  • Stripe Payments Europe Ltd. — payment processing, subscription management, and invoicing.
  • Cloudflare, Inc. — bot and abuse mitigation on web forms via Cloudflare Turnstile.
  • Third-party LLM providers — used for content generation. Only the data necessary to perform the requested generation is sent; outputs are stored on Writegarden infrastructure. The current LLM sub-processor register is shared under NDA.

Enterprise customers are notified in advance of material sub-processor changes.

6. Backups and disaster recovery

Production databases are backed up at least daily. Backups are encrypted at rest, retained for 30 days on a rolling basis, and stored in the EU. We test restore procedures quarterly. Our target recovery-point objective (RPO) is 24 hours and our target recovery-time objective (RTO) is 24 hours for the standard plan. Enterprise SLAs may set tighter targets.

7. Vulnerability management

Dependencies are scanned for known vulnerabilities on every build. Critical security patches in our runtime, framework, or dependency tree are applied within a rolling 7-day window. We perform internal security reviews on material changes to authentication, authorisation, payment, or data-export code paths.

8. Incident response

If we detect or are notified of a security incident that may affect customer personal data, we will assess the scope and impact, notify affected customer account owners by email without undue delay (and in any event within 72 hours where required by the GDPR), report to the competent supervisory authority where required, and post a public summary once the incident is contained.

9. Compliance posture

Writegarden is GDPR-aligned today: a signed Data Processing Agreement is available for all customers, a current sub-processor register is maintained, EU data residency is enforced operationally, and Data Subject Rights requests are handled within 30 days. SOC 2 readiness is in progress. We can share our current readiness status, control mapping, and target audit window on request as part of an Enterprise engagement.

10. Reporting a vulnerability

If you believe you have found a security vulnerability in Writegarden, write to hello@writegarden.com with the subject line "Security". Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate. We acknowledge reports within two working days and aim to triage within five.

11. Contact

Security and compliance enquiries: hello@writegarden.com.