Security

Most agencies handle "security" with platitudes. We're going to do the opposite. This page tells you exactly what code we run on your site, exactly what permissions we ask of your CMS, exactly what we don't touch, and exactly where you can read every line yourself. If something on this page contradicts the actual code in our public repo, that is a bug worth flagging at security@neverranked.com.

We are not SOC 2 certified. We are not ISO 27001 certified. Saying so honestly belongs at the top of this page, not buried at the bottom. Those certifications are on a roadmap that activates once we have enterprise customers who require them. Until then, our claim is specificity, transparency, and minimum-scope.

The single line you paste in your site's <head> loads a small JavaScript file from our domain (app.neverranked.com/inject/<your-slug>.js). When it runs, it does exactly one thing:

• Reads location.pathname (the URL path the visitor is on).
• Compares that path against an allow-list of pages you and we have explicitly approved.
• If matched, calls document.createElement("script"), sets type="application/ld+json", fills it with the structured-data JSON we previously approved, and appends it to document.head.

That is the entire snippet. Twenty lines of JavaScript, no obfuscation, no minification beyond whitespace. You can read the full source generator at dashboard/src/routes/inject.ts in our public repo.

• It does not read cookies. The word "cookie" appears nowhere in the snippet code.
• It does not read forms. No document.querySelector calls against inputs, no listeners on submit events.
• It does not read DOM contents. Doesn't traverse the page, doesn't read text, doesn't see what your visitors typed.
• It does not make outbound requests. No fetch, no XMLHttpRequest, no navigator.sendBeacon. The snippet is purely DOM-injection.
• It does not run eval or use the Function constructor. The injected JSON is parsed by JSON.stringify on our side and the browser's native application/ld+json handler on yours.
• It does not contain credentials, tokens, or anything that could be used to identify your customer base if leaked. The URL contains a public client_slug. That's it.

Every JSON-LD payload that ships through our snippet has to pass two gates before deploy:

• Schema completeness grader. Empirical research on AI citations shows partial or generic schema produces a 18-percentage-point citation penalty versus no schema at all. Our grader scores every block against per-type field manifests and blocks anything below a deploy threshold of 60. Same grader powers our public scorer at check.neverranked.com -- you can verify the math against any URL.
• Status flag in our database. The injection endpoint queries WHERE status = 'approved'. Schema cannot reach your live site without an explicit approval mark on our side.

Each customer's snippet URL contains a unique client_slug. The endpoint resolves that slug against our database and serves only that customer's schemas. There is no shared payload across customers, no global script, no third-party CDN involved.

Compromising any one customer's snippet does not reach any other customer. Our database queries are parameterized (using D1 prepared statements) so the slug cannot be used as an injection vector against the server.

Amplify customers connect their content management system so we can publish drafts directly. Below is exactly what we ask for and exactly what we use it for, by platform.

WordPress. We use WordPress Application Passwords -- per-user, per-app credentials that you can revoke from your WP admin at any time. The password is encrypted at rest in our database with AES-GCM (key: WP_ENCRYPTION_KEY, never logged, never returned via any API endpoint). Our code only hits two REST endpoints:

• GET /wp-json/wp/v2/users/me -- to verify the credentials work after you save them.
• POST /wp-json/wp/v2/posts -- to create a draft post.

We do not touch /users, /options, /themes, /plugins, /media uploads, or anything else. The full driver is at dashboard/src/cms/drivers/wordpress.ts.

Webflow. We hit only /sites/{id} (read, to validate site access), /collections/{id}/items (create, to add a draft article), and /collections/{id}/items/{id}/publish (publish, when you approve). No site settings, no DNS, no domains, no other collections.

Shopify. We hit only /admin/api/.../blogs/{blog_id}/articles.json to create blog articles. No products, no orders, no customers, no themes, no settings.

No content auto-publishes. Every Amplify-generated draft sits in a pending_review state in your dashboard until you click approve. The publish endpoint is only called after that explicit click. If you ever want to pause the pipeline entirely, you can flip pipeline_paused_at on your account from settings -- the cron checks that flag before generating any draft.

You never share your OpenAI, Anthropic, Gemini, or Perplexity API keys with us. Our citation tracker uses our own keys to run queries against the engines on your behalf, and we pay for those API costs. This means even if our infrastructure were compromised, the attacker could not pivot into your AI service accounts.

The entire NeverRanked codebase is public on GitHub at github.com/lanceroylo/neverranked. The repo is source-available under a Business-Source-pattern license -- you can read every line, audit it, fork it for non-commercial use. Commercial use that competes with NeverRanked requires a license. License auto-converts to MIT on April 29, 2030.

Specific files worth reading:

• dashboard/src/routes/inject.ts -- the entire snippet generator
• dashboard/src/cms/drivers/ -- WordPress, Webflow, Shopify drivers
• packages/aeo-analyzer/src/schema-grader.ts -- the schema completeness grader
• dashboard/src/auth.ts -- magic link issuance, session management, rate limiting
• dashboard/src/routes/checkout.ts -- Stripe webhook handler

• Hosting: Cloudflare Workers (compute), Cloudflare D1 (database), Cloudflare R2 (object storage). All traffic terminates on Cloudflare's network -- their security posture (DDoS protection, TLS, WAF) covers ours by inheritance.
• Secrets: All API keys, encryption keys, and webhook secrets are stored as Wrangler secrets, never committed to the repo.
• Database access: No direct external database access. All queries go through the Worker, which authenticates the caller via session cookies.
• Email delivery: Resend, with our domain verified for sending. Welcome email magic links expire after 72 hours, login magic links after 15 minutes, with a hard rate limit of 3 per 15-minute window per email.
• Payment processing: Stripe -- we never store card data ourselves. We persist only the Stripe customer ID and subscription ID.

A few risks we want named because they're real, not because they're alarming:

• If our infrastructure is breached, an attacker could push bad schema to all active customer sites simultaneously. Mitigation: all schema passes the completeness grader before serving, and any push triggers an entry in our admin alerts. Detection-then-revert is the layer we currently have. Cryptographic signing of schema payloads is on the roadmap.
• WordPress Application Passwords are revocable but not multi-factor. If your WordPress admin account is breached, the attacker could revoke or replace our credential. Recommend you set up 2FA on your WP admin.
• We do not hold any audited compliance certificate yet. If your procurement process requires SOC 2 or ISO 27001, we are not ready for that engagement. Email us so we know it's on the demand list.

• The full snippet generator lives at dashboard/src/routes/inject.ts in the public repo. Read it.
• The CMS drivers live at dashboard/src/cms/drivers/. Read them.
• Once you're a customer, your live snippet is at https://app.neverranked.com/inject/<your-slug>.js. Open it in a browser tab. The full source loads as plain text.
• Run any URL through check.neverranked.com -- the schema grader scoring your live snippet's payloads is the same code you'll see in the repo.
• If a security claim on this page does not match what the code does, we treat that as a bug. Email security@neverranked.com. A real reply, not a noreply auto-acknowledge.

Email security@neverranked.com with reproduction details. We commit to a real human reply within 48 hours and a fix-or-mitigation timeline within 7 days for any verified issue. We do not currently run a paid bug bounty program, but we will publicly credit responsible disclosures (with your permission) on this page.