Skip to main content
New: 200+ SEO checks now available. See what's new

Security at Dr Urls

Your data security is our priority. We build security into every layer of our platform, from infrastructure to application logic.

Last updated: March 15, 2026

Infrastructure Security

Enterprise-grade cloud infrastructure

Google Cloud Platform

All services are hosted on Google Cloud Platform within EU data centers (europe-west region), leveraging Google's world-class physical security, network security, and operational controls.

Encryption at rest

All data stored in our databases, object storage, and backups is encrypted at rest using AES-256 encryption with Google-managed encryption keys.

Encryption in transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Internal service-to-service communication is also encrypted using mutual TLS.

Tenant isolation

Each organization's data is logically isolated at the application and database level. Row-level security policies and application-layer authorization ensure strict tenant boundaries. Cross-tenant data access is architecturally impossible.

Network security

Our infrastructure uses VPC isolation, firewall rules, private networking for internal services, and DDoS protection. Database instances are not publicly accessible.

Application Security

Secure by design, tested continuously

OWASP Top 10

Our development practices address all OWASP Top 10 vulnerabilities. We perform regular code reviews and use static analysis tools to catch security issues before deployment.

Input validation

All user inputs are validated and sanitized using strict Zod schemas. API endpoints enforce type safety and reject malformed requests before they reach business logic.

SSRF prevention

Our crawlers include robust SSRF protection to prevent internal network access. Private IP ranges, localhost, and cloud metadata endpoints are blocked at the network layer.

Security headers

We enforce Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security (HSTS), and Referrer-Policy headers on all responses.

Authentication & Access Control

Defense-in-depth access management

Secure authentication

User authentication is handled through Firebase Authentication, supporting email/password, Google SSO, and other OAuth providers. Passwords are hashed using industry-standard algorithms and never stored in plaintext.

Role-based access control (RBAC)

Organizations can assign four distinct role levels — Owner, Admin, Analyst, and Viewer — each with granular permissions. Every API request is authorized against the user's role and organization membership.

Session management

Sessions use secure, signed tokens with configurable expiration. Tokens are rotated automatically and can be revoked immediately. Inactive sessions expire after a defined period.

Multi-factor authentication

Coming soon

We are actively developing MFA support with TOTP (authenticator app) and WebAuthn (security keys). This feature will be available for all users in an upcoming release.

Data Protection

Your data, protected at every stage

Encryption standards

AES-256 encryption at rest, TLS 1.2+ in transit. Database connections use encrypted channels. Sensitive configuration values are stored in Google Secret Manager.

Backup procedures

Automated daily backups with point-in-time recovery up to 7 days. Backups are encrypted and stored in a separate geographic region within the EU for disaster recovery.

Audit logging

All data access, modifications, and administrative actions are logged with timestamps, user identities, and IP addresses. Audit logs are immutable and retained for 12 months.

Data residency

All customer data is stored and processed exclusively within European Union data centers. We do not transfer data outside the EU unless explicitly authorized by the customer.

Compliance

Meeting regulatory and industry standards

GDPR ready

We are fully committed to GDPR compliance. We process personal data lawfully, transparently, and for specific purposes. Users can exercise their data rights (access, rectification, erasure, portability) at any time. Data Processing Agreements are available for enterprise customers.

SOC 2 Type II

In progress

We are actively pursuing SOC 2 Type II certification covering the Security, Availability, and Confidentiality trust service criteria. We expect to complete the audit process in 2026.

Data Processing Agreements

We offer GDPR-compliant Data Processing Agreements (DPAs) to all customers who process personal data through our platform. Contact legal@drurls.com to request a DPA.

Vulnerability Management

Proactive identification and remediation

Automated scanning

We run automated vulnerability scans across our infrastructure and application code on a continuous basis. Dependencies are monitored for known vulnerabilities using automated tools integrated into our CI/CD pipeline.

Dependency management

All third-party dependencies are pinned to specific versions and regularly audited. Critical security patches are applied within 24 hours of disclosure.

Responsible disclosure

We maintain a responsible disclosure program for security researchers. We commit to acknowledging reports within 48 hours and providing an initial assessment within 5 business days.

Incident Response

Prepared, transparent, and rapid

We maintain a comprehensive incident response plan that ensures rapid detection, containment, and resolution of security incidents.

1

Detection

Continuous monitoring with automated alerting on anomalous behavior, unauthorized access attempts, and system integrity changes.

2

Notification

Affected customers are notified within 72 hours of confirming a data breach, in compliance with GDPR Article 33. Notifications include scope, impact, and remediation steps.

3

Remediation

Our team conducts root cause analysis, implements fixes, and publishes a post-incident report. Lessons learned are incorporated into our security practices.

Security Contact

If you have a security concern or need to report a vulnerability, please contact our security team directly.

Email: security@drurls.com

PGP key: Available upon request for encrypted communication

Response time: Within 48 hours for security reports

Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities.

  • Provide detailed reproduction steps
  • Allow reasonable time for remediation
  • Do not access or modify other users' data
  • Do not perform denial-of-service testing

We commit to not pursuing legal action against researchers who follow these guidelines. Report findings to security@drurls.com.

Security | Dr Urls