Security Measures and Safeguards

Effective Date: December 13, 2022 

Capitalized terms that are not defined in these Security Measures have the meanings set forth in the Terms of Service or the Data Processing Addendum.

Security Measures

Squarespace implements and maintains technical and organizational security measures to protect company and customer assets and data. Squarespace has a dedicated security team that guides the implementation of controls, processes, and procedures governing the security of Squarespace and its customers. The Squarespace security team is responsible for developing, implementing and maintaining an information security program that reflects the following:

  • Align security activities with Squarespace’s strategies and support Squarespace’s objectives.

  • Leverage security to facilitate confidentiality, integrity, and availability of data and assets.

  • Analyze identified or potential threats to Squarespace and its customers and provide reasonable remediation recommendations.

  • Actively monitor Squarespace environments and utilize the intelligence gathered to continuously improve our security program.

  • Support secure infrastructure, platform, and feature development.

  • Periodically perform internal Red Teaming operations, to confirm control effectiveness and identify areas for improvement.

  • Perform threat modeling exercises when building new or materially modifying existing systems, components, and platforms to confirm proper protection and handling of data.

  • Manage security utilizing a risk based approach.

  • Implement measures designed to manage risks and potential impacts to an acceptable level.

  • Leverage industry security and compliance frameworks where relevant and applicable.

  • Provide security awareness training to Squarespace employees and provide mechanisms for employees to reach directly out to the security team with questions.

Data Center, Cloud Providers, and Business Continuity/Disaster Recovery

  • Squarespace leverages leading data center and cloud service providers to house our physical and cloud infrastructure.

  • Our data center and cloud service providers utilize an array of security equipment, techniques, and procedures designed to control, monitor, and record access to the facilities.

  • Squarespace leverages geographically separate data centers and cloud service provider availability zones to facilitate infrastructure and service availability and continuity.

  • Squarespace has implemented solutions designed to protect against and mitigate effects of DDoS attacks.

  • Squarespace has dedicated teams located in multiple geographies to support our platform and supporting infrastructure.

  • Squarespace has business continuity disaster recovery plans which are tested periodically. Results of testing are leveraged to improve plans where necessary.

Encryption 

  • Squarespace leverages SSL certificates to encrypt data in-transit between website end users and customer domains.

  • Squarespace offers HSTS (HTTP Strict Transport Security) which encrypts the content served during sessions and only allows Squarespace customer websites to be accessed via HTTPS.

Application Level Security

  • Squarespace hashes passwords for user accounts.

  • Two-factor authentication (2FA) is available on Squarespace member accounts for an added layer of security.

  • Squarespace utilizes Web Application Firewall (WAF) technology.

  • Regular pen testing is performed on the Squarespace platform by Squarespace’s security team as well as a third party, the results of which are analyzed and remediated (as appropriate) by our engineering and security teams.

  • Customers are provided the ability to customize website permissioning.

Incident Response

  • In the event of an issue related to the security of the Squarespace platform, the Squarespace security team follows a formal incident response process.

  • Squarespace analyzes identified or potential threats to Squarespace and its customers, and takes reasonable actions where necessary.

Squarespace Building and Network Access

  • Physical access to Squarespace offices and access to the Squarespace internal network is restricted and monitored.

Systems Access Control

  • Access to Squarespace systems is limited to appropriate personnel.

  • Squarespace subscribes to the principle of least privilege.

  • Squarespace’s access control policy applies to systems that Squarespace manages and maintains. The Squarespace access control policy addresses control processes that include, but are not limited to:

    • Account provisioning/decommissioning

    • Authentication

    • Privileged account management

    • User identification

    • Access logging and monitoring

Security Risk Management

Threat intelligence and risk assessment are key components of Squarespace’s information security program. Awareness and understanding of potential (and actual) threats guides the selection and implementation of appropriate security controls to mitigate risk. Potential security threats are identified, and assessed for severity and exploitability. If risk mitigation is required, the security team works with relevant stakeholders and system owners to remediate. The remediation efforts are tested to confirm the new measures/controls have achieved their intended purpose.

Safeguards

Law Enforcement Request Policy

Squarespace respects the human rights of our customers and their end users. Squarespace implements a robust law enforcement request policy which is designed to ensure that all law enforcement, governmental and regulatory requests are valid and made in accordance with applicable legal process. Squarespace does not disclose data to law enforcement, regulatory or governmental bodies unless required by applicable law and objects to unlawful requests. If Squarespace receives a demand for Your Controlled Data (as defined in the Squarespace Data Processing Addendum), Squarespace will attempt to redirect the law enforcement agency or regulatory or government body to request such data directly from the relevant customer. If compelled to disclose or provide access to data to law enforcement, regulatory or governmental bodies or agencies, Squarespace will notify the relevant customer and provide them with a copy of the demand to allow them to seek a protective order or other appropriate remedy (except if such notification is legally prohibited, such as through a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). 

Privacy Shield Principles

Squarespace, Inc. continues to apply the Privacy Shield principles under the EU-US and Swiss-US Privacy Shield Frameworks (collectively “Privacy Shield”) in respect of applicable personal data in order to provide additional safeguards and protections for it, even though Squarespace, Inc. no longer relies upon Privacy Shield as a lawful basis to transfer such data.