Security Measures

Last modified December 20, 2022

Ahrefs may update or modify these security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service.

Measures of pseudonymization and encryption of personal data

Personal data is stored in AWS RDS. RDS implements encryption of data both at rest and in transit. Development, staging, and production databases and processing applications are kept separate. You may refer to AWS RDS measures.

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

RDS is configured with multi-zone replication setup to ensure availability in case of catastrophic failure in one geographic region. Additionally, there is continuous backup of all the RDS databases by the means of AWS tooling, adding another cold replica of all the data.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Same as above.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Security of data processing is achieved by:

  • assignment of the small permanent dedicated and experienced team to the corresponding code subsystem, responsible for all the implementation, code quality and technical choices

  • code review of all code contributions to the corresponding subsystem

  • using best in class implementation language eliminating whole classes of runtime bugs and ensuring strongest possible guarantees and code contracts during compilation

  • management overseeing the new patterns of customer personal data process being implemented

  • management overseeing that only necessary data are stored

  • the number of sub-processors is kept to a minimum

Measures for user identification and authorization

Personal data is stored in AWS RDS. RDS implements encryption of data both at rest and in transit. Development, staging, and production databases and processing applications are kept separate. You may refer to [haveibeenpwned.com] database, entropy tests, etc.). Support for Multi-factor Authentication (MFA) is a Service feature that is coming soon. Additionally, Enterprise Plan users may opt in for the Single Sign On (SSO) authentication with Ahrefs performing the duty of a SAML Service Provider (implementing the recommended SAML security practices including, but not limited to response signing, request signature checking, etc.).

User authorization is performed by the in-house implementation centered around the business logic according to the user membership in the corresponding workspace and the respective role assigned within the workspace by the workspace administrator.

Measures for the protection of data during transmission

Customer’s access to Ahrefs’ Service is only possible over a secure connection, protected by industry-standard TLS protocol implementing commonly accepted best security practices and utilizing strong cipher-suites and disabling legacy weak protocols. Ahrefs website is additionally protected by Cloudflare, which is re-encrypting all traffic reaching Ahrefs website.You may refer to Cloudflare policies here.

Transmission of data between the storage database and the processing servers happens over the isolated network separate from the internet.

Measures for the protection of data during storage

You may refer to AWS RDS measures.

Measures for ensuring physical security of locations at which personal data are processed

Personal data processing is happening on EC2 instances in AWS data centers. Physical security is provided by AWS. Refer to AWS policies.

Additional measures are taken to hide the actual physical and logical location of servers storing customer personal data by means of layers of proxies between the data storage and the outside world.

Measures for ensuring events logging

All Ahrefs servers are configured with continuous logging to remote locations of important system logs and additional events collection as deemed necessary by Security and Devops teams. Customer Personal Data is never collected by these means.

Additionally, event logging is enabled with sub-processors e.g. CloudFlare, AWS, Mailchimp, SendGrid.

Measures for ensuring system configuration, including default configuration

Ahrefs is using industry-standard Configuration Management System to ensure desired system configuration during initial setup and continuous configuration updates during normal operations.

Measures for internal IT and IT security governance and management

In general, Ahrefs is using the principles of defense in depth and minimum access in its day-to-day operations. In particular, this includes the following security practices:

  • central management of all secrets used by employees to access third-party services

  • central and automated management of secrets deployed on the servers for use by Ahrefs tools and infrastructure

  • physical and logical separation of production and testing environments

  • remote collection of access logs for all the servers with the ability to audit on demand

  • remote collection of logs for internal data and API access

  • access separation for internal API on by-need basis with a default deny policy - continuous integration and deployment, with automated testing for Ahrefs code and infrastructure

  • continuous integration and deployment, with automated testing for Ahrefs code and infrastructure

  • infrastructure as code by GitOps approach

  • continuous monitoring of all production systems and alerting on deviations

  • 24/7 oncall DevOps presence

  • main implementation language for Ahrefs backend, frontend and parts of infrastructure is OCaml, which eliminates whole classes of runtime bugs and enforces compile-time checked code invariants giving a high degree of confidence in the resulting code behaviour

  • Quality Assurance (QA) process in place before production releases

Measures for certification/assurance of processes and products

Ahrefs systems were not subjected to certification so far, though there is a motion to get SOC2 certification in the near future.

Measures for ensuring data minimization

Ahrefs only stores the absolute minimum of Customer Personal Data to ensure the ability to provide and charge for the Service rendered, as well as legal and regulatory compliance purposes.

Measures for ensuring data quality

Ahrefs is checking the quality of passwords to ensure they were not leaked in public and are of acceptable quality. While we don’t check the accuracy of Customer Personal Data provided by our users, our payment processor does payment information quality check to avoid fraudulent transactions

Measures for allowing data portability and ensuring erasure

Customer Personal Data is retrievable with standard SQL tooling and can be extracted upon Controller’s request. You may refer to AWS RDS guarantees about erasure.

A. Data Center

Ahrefs stores all production data in physically secure data centers.

Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Service is designed to allow Ahrefs to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.

The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.

When production data is copied electronically by Ahrefs outside the data center, appropriate physical security is maintained, and the data is always encrypted.

B. Access Control

Preventing Unauthorized Service Access:

Ahrefs hosts parts of its Service with outsourced cloud infrastructure providers.

Additionally, Ahrefs maintains contractual relationships with vendors in order to provide the Service in accordance with DPA. Ahrefs relies on contractual agreements, privacy policies, and vendor compliance procedures in order to protect data processed or stored by these vendors.

Ahrefs implemented a uniform password policy for its Service and correspondent tools and features. All passwords must fulfil defined minimum requirements and are stored in encrypted form. Users who interact with the Service via the user interface must authenticate before accessing non-public user data. User data is stored in multi-tenant storage systems accessible to users via only application user interfaces and application programming interfaces. Users are not allowed direct access to the underlying application infrastructure. The authorization model in each of the tools and features of the Service is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions.

Public Services APIs may be accessed using an API key.

Preventing Unauthorized Services Use. Ahrefs utilizes the following access controls and detection capabilities for the internal networks that support its Service:

Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the Service infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Ahrefs implemented a Web Application Firewall (WAF) solution to protect internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Security reviews of the parts of code stored in Ahrefs source code repositories are performed, checking for coding best practices and identifiable software flaws.

Ahrefs conducts penetration tests annually (May-2024 pentest summary). The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

Authorization Requirements. A subset of Ahrefs personnel have access to user data via controlled interfaces on a purely need-to basis. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Ahrefs personnel are required to conduct themselves in a manner consistent with the Ahrefs guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. All access is logged for audit purpose.

C. Transmission Control

Ahrefs makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Ahrefs HTTPS implementation uses industry standard algorithms and certificates.

D. Input Control

Ahrefs designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests partly. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Ahrefs personnel are responsive to known incidents.

Ahrefs maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Ahrefs will take appropriate steps to minimize User damage or unauthorized disclosure.

If Ahrefs becomes aware of unlawful access to Ahrefs data stored within its Service, Ahrefs will:

  1. notify the affected Users of the incident;

  2. provide a description of the steps Ahrefs is taking to resolve the incident; and

  3. provide status updates to the User contact, as Ahrefs deems necessary.

Notification(s) of incidents, if any, will be delivered to one or more of the User’s contacts in a form Ahrefs selects, which may include via notice or email.

E. Availability Control

The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.8% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Ahrefs data is backed up to multiple durable data stores and replicated across multiple availability zones. Ahrefs uses commercially reasonable efforts to create frequent, encrypted back-up copies of Protected Data and these are stored in geographically separate locations.

Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

The Service is designed to ensure redundancy and seamless failover. The server instances that support the Service are also architected with a goal to prevent single points of failure. This design assists Ahrefs operations in maintaining and updating the Service applications and backend while limiting downtime.

© 2024 Ahrefs Pte. Ltd. (201227417H) 16 Raffles Quay, #33-03 Hong Leong Building, Singapore 048581