Privacy & Security

Privacy practices

  • We do not use tracking cookies, and do not track people across the Internet.
  • We cannot trace the analytics data back to an individual.
  • We do not sell personal data.
  • We delete analytics data older than 24-months.
  • We automatically strip out personal data from all analytics we collect.
  • Our business is funded by charging a monthly subscription to use our software.
  • You retain full ownership over your data.
  • You can close your account or delete your data anytime - no questions asked.


  • We do not allow any sub-processor to sell or rent personal data about our customers or their end users.
  • We continuously review our Personal Data Inventory and perform a Transfer Impact Assessment for every sub-processor that helps us run our business.
  • Before adding a new sub-processor, we carefully assess their privacy and security practices.
  • When applicable, we have a Data Processing Agreement in place with every sub-processor that helps us run our business.


Data is always encrypted, both while on transit and at rest. In transit using strong, modern TLS. And at rest we use one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256). Additionally, all secret keys are automatically rotated on a regular basis.

Threat detection

We have automated vulnerability scanning, threat detection, and bot protection across our infrastructure. These systems automatically monitor audit logs and all activity in our cloud providers to notify us in case of unauthorised access or suspicious activity

Site reliability

Our systems continuously monitor for failures, and escalate to our team as needed to minimize downtime and prevent issues for our users. We commit to 99.9% uptime for customers with SLAs on their plan, but in practice achieve 99.995% uptime.

Application security

Our web application is designed and frequently tested with OWASP Top 10 in mind. This accounts for the most common types of attacks such as injection, broken authentication, XSS, CSRF, and several others.

Developer security

  • We enforce two-factor authentication on all accounts with access to our infrastructure.
  • We use hardware authentication keys whenever possible.
  • All secrets are encrypted, and rotated regularly.
  • All development equipment uses disk encryption.

Principle of Least Privilege

We follow the Principle of Least Privilege at all levels of our infrastructure:
  • Every API key has been given minimal permissions.
  • Our API access roles have permission boundaries to limit the impact of a security breach.
  • Our authentication tokens have short expiry times.
  • We limit the data subset that each sub-processor is able to access.

Have a security concern?

If you have found a vulnerability in Swilty, please contact us by email at