Security

Overview

This page summarizes how Results AI protects customer data. It is meant to give a clear picture of the technical controls in place — enough detail for IT teams, security questionnaires, and platform reviewers to evaluate — without going so deep that it stops being useful. If you need additional detail for a procurement review, get in touch through our contact page.

1. Encryption in transit

All traffic to and from intheresults.com and the Results AI dashboard is served exclusively over HTTPS using TLS 1.2 or higher. HTTP requests are redirected to HTTPS at the edge. Internal connections between our application servers and managed Postgres database use encrypted connections as well. We do not accept unencrypted traffic anywhere in the stack.

2. Encryption at rest

Our managed Postgres database (DigitalOcean) is encrypted at rest using AES-256. Backups are encrypted with the same standard. Application server disks are encrypted at rest by default on our hosting provider.

On top of the underlying disk encryption, sensitive fields — most importantly OAuth refresh tokens — are encrypted at the application layer using AES-256-GCM before being written to the database. The encryption key is stored as an environment variable in our deployment platform, not in the database, so a database leak alone is not sufficient to decrypt tokens.

3. OAuth tokens and Google Search Console

When you connect Google Search Console, Google returns a refresh token to Results AI. We handle that token as follows:

• The token is encrypted with AES-256-GCM before it is written to our database.
• The token is never logged, never displayed in the UI, and never sent to any third party.
• The token is decrypted only in memory, only when needed to make an authorized request to a Google API on behalf of the connected account.
• When you disconnect, or when you revoke access at myaccount.google.com/permissions, the encrypted token and all cached Google data are permanently deleted in a single database transaction. The deletion is immediate and cannot be undone.

See our Privacy Policy for the full data-handling commitments around the Google Search Console integration, including the Limited Use disclosure.

4. Authentication and account access

Passwords are never stored in plaintext. They are hashed using bcrypt with a per-password salt. Account sessions are managed with signed, HTTP-only cookies that cannot be read by JavaScript. Failed login attempts are rate-limited at the application level. Suspicious activity triggers automated blocks at the Cloudflare edge before requests reach our application.

5. Application and edge protections

All public endpoints sit behind Cloudflare, which provides DDoS mitigation, a managed Web Application Firewall, and bot protection. Forms that accept user input are protected by Cloudflare Turnstile, which blocks automated submissions without requiring users to solve CAPTCHA puzzles. Every public endpoint is rate-limited at both the edge and the application layer.

6. Infrastructure and hosting

Results AI runs on DigitalOcean App Platform with a managed Postgres database. Both are SOC 2 Type II audited environments. Application code is deployed from a GitHub repository protected with two-factor authentication, branch protection on the main branch, and a clean deploy log. We do not run servers in our office, and no production data is stored on developer laptops.

7. Logging and monitoring

Application logs capture request paths, response codes, and error traces, but exclude sensitive data: OAuth tokens, passwords, Google Search Console query results, and personal data fields are never written to logs. Logs are retained for 30 days and used only for debugging, performance analysis, and abuse detection.

8. Data segregation

Each customer's data is logically separated by account ID at every layer of the application. Queries against the Postgres database are scoped to the requesting account by design; there is no shared workspace or cross-tenant table. Customer reports, audit history, and connected accounts are visible only to the account they belong to.

9. AI providers and sub-processors

To produce recommendations, parts of your data are sent to AI providers we contract with: OpenAI, Anthropic, Perplexity, and Google AI. We send only what is needed for analysis — typically queries, page URLs, audit findings, and the resulting recommendations — and we never send OAuth tokens or passwords. These providers process the data solely to return a recommendation for your account and are bound by data processing agreements that prohibit using the data to train their models or for any other purpose.

Other sub-processors include DigitalOcean (hosting + database), Cloudflare (edge security, email routing, Turnstile), and Stripe (billing). Each is contractually bound by their own privacy and security commitments.

10. Vulnerability disclosure

If you believe you have found a security vulnerability in Results AI, send a message to [email protected] with the details. We will respond within 72 hours, work with you to verify the issue, and credit you in any public disclosure if you wish. We do not currently run a paid bug bounty program but appreciate good-faith reports.

11. Incident response

If we discover an incident involving personal information, we will notify affected customers and the relevant regulators within 72 hours of confirmation, following the breach notification approach in our Privacy Policy. We maintain a documented incident response process internally.

12. Questions and procurement

If you are completing a vendor security questionnaire on behalf of a customer or evaluating Results AI for purchase, send a note to [email protected] and we will respond with the documentation you need.