Security at Articfly

Your data security is foundational to everything we build

At Articfly, we understand that when you entrust us with your content, WordPress credentials, and business data, you're placing significant trust in our platform. We take that responsibility seriously. This Security page transparently explains the technical and organizational measures we implement to protect your information, maintain platform integrity, and ensure compliance with data protection regulations including GDPR.

Our core security commitments:

• Your data is encrypted at rest with AES-256 and in transit with TLS 1.2/1.3
• Passwords are hashed using bcrypt with unique salts—never stored in plain text
• Your WordPress credentials are encrypted before storage and never logged
• Payment processing is handled by Stripe, a PCI DSS Level 1 certified provider
• AI processing uses enterprise-grade providers with SOC 2 and ISO 27001 certifications
• We follow OWASP security guidelines and conduct regular security assessments

---

Data protection through encryption

Every piece of data you share with Articfly is protected using industry-leading encryption standards. When data travels between your browser and our servers, it's secured using TLS 1.2 or TLS 1.3 encryption—the same technology used by financial institutions. All WordPress API connections and third-party integrations communicate exclusively over HTTPS with encrypted channels.

For data stored on our systems, we implement AES-256 encryption, the gold standard for data-at-rest protection. Your WordPress credentials receive additional protection through encryption before storage, ensuring they remain secure even at the database level. User passwords are hashed using bcrypt with unique salts, making them computationally infeasible to reverse-engineer. We maintain encrypted backups with geographic redundancy, and all sensitive database fields receive field-level encryption.

Our multi-tenant architecture ensures complete logical separation between customer accounts. Your data is isolated from other customers' data, with no possibility of cross-account access. We maintain separate environments for production, staging, and development, preventing any test data from mixing with live customer information.

---

Infrastructure built for resilience and security

Articfly operates on enterprise-grade cloud infrastructure from leading providers that maintain SOC 2 Type II, ISO 27001, and other industry certifications. Our infrastructure incorporates multiple layers of protection including distributed denial-of-service (DDoS) mitigation, Web Application Firewall (WAF) implementation, and automatic load balancing for high availability.

Network security includes firewalls at multiple architectural layers, Intrusion Detection and Prevention Systems (IDS/IPS), network segmentation to isolate critical services, and VPN-only access for administrative functions. Our servers run hardened configurations following the principle of minimal installation—only essential software is deployed, reducing potential attack surfaces.

We apply critical security patches within 24 hours of release, with high-priority patches deployed within 7 days. Emergency patching procedures handle zero-day vulnerabilities, and we maintain rollback capabilities for every change. Automated security scanning runs continuously across our container infrastructure, and we conduct regular infrastructure penetration testing.

---

Application security following OWASP best practices

Our development methodology places security at the foundation of every feature. We follow OWASP Top 10 guidelines to prevent common web application vulnerabilities and implement comprehensive security controls throughout our codebase.

Protection against common attacks includes parameterized queries and strict input validation to prevent SQL injection, context-aware output encoding and Content Security Policy headers for XSS prevention, CSRF tokens on all state-changing operations, and secure session management with automatic expiration. We conduct Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) on every release, supplemented by dependency scanning to identify vulnerabilities in third-party libraries.

Every code change undergoes security-focused peer review before merging. Our developers receive regular secure coding training, and we maintain a security-first culture where potential vulnerabilities are flagged and addressed proactively rather than reactively.

---

Authentication and access control

Your Articfly account is protected by multiple security layers. We enforce strong password requirements (minimum 8 characters with complexity rules), and two-factor authentication (2FA) is available for all accounts—we strongly recommend enabling it. Failed login attempts trigger account lockout protections, and sessions expire automatically after periods of inactivity.

Internally, we implement Role-Based Access Control (RBAC) following the principle of least privilege. Employees only access systems and data necessary for their specific job functions. All employee access requires multi-factor authentication, and we conduct regular access reviews and audits. When employees leave the company, access is revoked immediately. Background checks are required for all employees who handle customer data, and every team member signs non-disclosure agreements.

For API access (available on Enterprise plans), we provide secure API key authentication with encryption at rest, rate limiting to prevent abuse, comprehensive request validation, and detailed activity logging. OAuth 2.0 support is available where applicable.

---

WordPress integration security

Given that Articfly publishes directly to your WordPress sites, we implement rigorous security for this integration. Your WordPress credentials are encrypted using AES-256 before storage and transmitted only through encrypted channels. Credentials never appear in logs or error messages, and we support WordPress Application Passwords as the recommended authentication method.

All connections to WordPress sites occur over HTTPS only, with SSL/TLS certificate verification ensuring you're connecting to your actual site rather than an impersonator. We implement limited API permissions following least-privilege principles—Articfly only requests the permissions necessary for publishing content. Our systems monitor connection status and can automatically disconnect on detection of suspicious activity.

Before publishing, generated content undergoes validation including malware scanning and prevention of code injection. We maintain a complete audit trail of all publishing actions and provide rollback capabilities should any issues arise.

---

AI provider security and data handling

Articfly integrates with enterprise-grade AI providers to power content generation. We carefully select providers based on their security certifications and data handling practices.

OpenAI (powering ChatGPT models) maintains SOC 2 Type II certification, ISO 27001/27017/27018/27701 compliance, and HIPAA eligibility. Through our API integration, your content is not used to train AI models. OpenAI encrypts all data with AES-256 at rest and TLS 1.2+ in transit.

Google Gemini operates within Google Cloud's enterprise security framework, holding SOC 1/2/3, ISO 27001, and the new ISO 42001 AI management certification. Customer content is not used for model training, and data remains encrypted throughout processing.

DeepSeek is offered as an alternative AI model option. We recommend users understand that DeepSeek processes data on servers located in China and is subject to local data regulations. For users handling sensitive business data, we recommend using OpenAI or Google Gemini models, which provide more extensive third-party security certifications and clearer data governance commitments.

For all AI processing, we practice data minimization—sending only the information necessary for content generation. Prompts and generated content are processed temporarily and not retained by AI providers beyond what's needed to deliver results.

---

Payment security through Stripe

We partner with Stripe for all payment processing. Stripe is certified as a PCI DSS Level 1 Service Provider—the highest level of payment security certification available. This certification is validated annually by independent PCI Qualified Security Assessors.

Your payment card details never touch our servers. When you enter payment information, it transmits directly to Stripe's secure infrastructure using their hosted payment fields. Stripe encrypts card data with AES-256 at rest and requires TLS for all communications. Your payment information is tokenized, meaning we receive only a secure reference token rather than actual card numbers.

Stripe maintains additional certifications including SOC 1 and SOC 2 Type II, and is listed on the Visa Global Registry of Service Providers. This architecture means you benefit from bank-level payment security without Articfly ever handling your sensitive financial data.

---

GDPR Article 32 technical and organizational measures

As a platform serving users worldwide, including the European Union, Articfly implements appropriate technical and organizational measures as required by GDPR Article 32. These measures are designed to ensure a level of security appropriate to the risks involved in processing personal data.

Technical measures include pseudonymization and encryption of personal data where appropriate, ongoing assurance of confidentiality, integrity, availability, and resilience of processing systems, the ability to restore availability and access to personal data in a timely manner following incidents, and regular testing and evaluation of security measure effectiveness.

Organizational measures encompass documented information security policies and procedures, staff training on data protection and security awareness, access control procedures limiting data access to authorized personnel, vendor management processes including Data Processing Agreements with all subprocessors, incident response procedures with defined responsibilities and escalation paths, and regular security assessments and risk evaluations.

We follow the principles of data protection by design and default, integrating privacy considerations from the earliest stages of feature development and ensuring that by default, only personal data necessary for each specific purpose is processed.

---

Monitoring, logging, and incident detection

Our security operations include continuous monitoring of all systems with real-time alerting on suspicious activity. We deploy anomaly detection to identify unusual patterns, monitor failed authentication attempts, and track potential indicators of compromise.

Comprehensive logging captures security events, access records, authentication activities, API usage, and WordPress publishing actions. Logs are retained for a minimum of 90 days, stored securely with encryption, and accessible only to authorized security personnel. Our Security Information and Event Management (SIEM) system correlates events across systems to detect sophisticated attack patterns.

We conduct vulnerability scanning continuously and engage third-party security firms for annual penetration testing. Vulnerability assessments cover our applications, infrastructure, dependencies, and container images.

---

Incident response and breach notification

Should a security incident occur, our dedicated incident response team follows documented procedures for identification, containment, eradication, and recovery. We maintain 24/7 on-call security personnel with clear escalation procedures, and we conduct regular incident response drills to ensure readiness.

If a security incident affects your data, we commit to notifying you within 72 hours of discovery, as required by GDPR. This notification will include the nature of the incident, potential impact on your data, steps we're taking to address the situation, and recommendations for protective actions you can take. We will also notify relevant supervisory authorities as required by applicable law.

Following any incident, we conduct thorough post-incident reviews to identify root causes and implement improvements to prevent recurrence.

---

Business continuity and disaster recovery

Articfly maintains automated daily backups of all critical data with geographic redundancy across multiple regions. Backups are encrypted and regularly tested for integrity and restorability. We retain backup data for a minimum of 30 days with point-in-time recovery capabilities.

Our disaster recovery plan targets a Recovery Time Objective (RTO) of 4 hours for critical services and a Recovery Point Objective (RPO) of 1 hour for data. We conduct regular disaster recovery drills and maintain failover capabilities to ensure service continuity.

For Pro and Enterprise customers, we offer a 99.9% uptime SLA, supported by load balancing, auto-scaling infrastructure, database replication with automatic failover, and CDN distribution for static assets.

---

Responsible disclosure and vulnerability reporting

We value the security research community and encourage responsible disclosure of vulnerabilities. If you discover a potential security issue in Articfly, please report it to us so we can address it promptly.

How to report a vulnerability

Email: contact@articfly.com

Please include the following in your report:

• Description of the vulnerability and its potential impact
• Detailed steps to reproduce the issue
• Affected URLs, parameters, or components
• Any proof-of-concept code or screenshots
• Your contact information (optional, but helpful for follow-up)

Our commitment to you

• Acknowledgment within 48 hours of receiving your report
• Regular updates on our progress toward remediation
• Notification when the vulnerability is resolved
• Public recognition (with your permission) for valid reports
• Coordination on any public disclosure timing

Safe harbor

We consider security research conducted in accordance with this policy to be authorized conduct. We will not pursue legal action against researchers who:

• Act in good faith to avoid privacy violations and disruption to others
• Only interact with accounts you own or have explicit permission to test
• Do not access or modify data belonging to other users
• Do not perform actions that could harm the availability of our services (such as denial of service)
• Do not publicly disclose vulnerability details before we've had reasonable time to address them
• Report vulnerabilities promptly and provide sufficient detail for reproduction

If you follow these guidelines and act in good faith, we will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research.

Scope

In scope: Articfly web application (articfly.com, app.articfly.com), Articfly APIs, authentication and authorization systems, data handling and storage systems.

Out of scope: Third-party services and integrations (report to them directly), physical attacks or social engineering, denial of service attacks, automated scanning that generates significant traffic, vulnerabilities in user-configured WordPress sites, issues requiring account access beyond your own test accounts.

---

User security recommendations

While we implement extensive security measures, account security is a shared responsibility. Here's how you can help protect your Articfly account:

Account security best practices:

• Use a strong, unique password that you don't reuse across other services
• Enable two-factor authentication (2FA) for an additional layer of protection
• Never share your account credentials with others
• Log out when using shared or public computers
• Keep your registered email address current for security notifications

WordPress integration security:

• Use WordPress Application Passwords rather than your main admin password
• Keep WordPress core, themes, and plugins updated
• Enable security plugins on your WordPress site
• Regularly review user accounts and remove unused admin access
• Monitor your WordPress activity logs for unusual behavior

Recognizing phishing attempts:

• Articfly will never ask for your password via email
• Always verify you're on articfly.com or app.articfly.com before entering credentials
• Be suspicious of urgent requests to verify your account or update payment information
• When in doubt, navigate directly to Articfly rather than clicking email links
• Report suspicious communications to contact@articfly.com

---

Compliance and standards

Current compliance:

• GDPR (General Data Protection Regulation) for EU data protection
• ePrivacy Directive compliance for cookies and electronic communications
• Polish Data Protection Laws as our company is based in Poland
• PCI DSS compliance through our payment processor (Stripe)

Security frameworks we follow:

• OWASP Top 10 and secure development guidelines
• CIS Controls for baseline security measures
• NIST Cybersecurity Framework alignment
• Cloud Security Alliance best practices

Third-party validation:

• Annual security audits by independent firms
• Regular penetration testing
• Ongoing compliance assessments
• Vendor security reviews for all subprocessors

We are working toward SOC 2 Type II and ISO 27001 certifications as our platform matures.

---

Third-party services and subprocessors

We carefully vet all third-party services for security and maintain Data Processing Agreements with vendors who process personal data.

Key service providers:

All third-party integrations use encrypted API communications, and we monitor security advisories from our vendors to respond promptly to any emerging issues.

---

Contact us

For security-related inquiries, vulnerability reports, or incident notifications:

Email: contact@articfly.com

Company: Lumizone

Address: ul. Malińska 1, 47-320 Gogolin, Poland

Website: articfly.com

Documentation: doc.articfly.com

Response times

---

Updates to this policy

We update this Security page as our practices evolve, new features are released, or regulations change. Significant updates will be communicated via email notification, in-app announcements, and updates to the "Last updated" date above.

---

We appreciate your trust in Articfly. Protecting your data isn't just a compliance requirement—it's fundamental to the service we provide. If you have questions about any aspect of our security practices, please don't hesitate to contact us.

This Security page applies to all users of the Articfly platform and complements our [Privacy Policy](/privacy), [Terms of Use](/terms), and [Cookie Policy](/cookies).