Security Measures and Safeguards

Effective Date: March 5, 2024

Capitalized terms that are not defined in these Security Measures have the meanings set forth in the Terms of Service or the Data Processing Addendum.

Security Measures

Squarespace implements and maintains technical and organizational security measures to protect company and customer assets and data. Squarespace has a dedicated security team that guides the implementation of controls, processes, and procedures governing the security of Squarespace and its customers. The Squarespace security team is responsible for developing, implementing and maintaining an information security program that reflects the following:

  • Align security activities with Squarespace’s strategies and support Squarespace’s objectives.

  • Leverage security to facilitate confidentiality, integrity, and availability of data and assets.

  • Analyze identified or potential threats to Squarespace and its customers and provide reasonable remediation recommendations.

  • Actively monitor Squarespace environments and utilize the intelligence gathered to continuously improve our security program.

  • Support secure infrastructure, platform, and feature development. 

  • Perform red team exercises, to confirm control effectiveness and identify areas for improvement.

  • Conduct threat modeling exercises when building new or materially modifying existing systems, components, and platforms to confirm, identify and, where appropriate, proactively mitigate security risks. 

  • Manage security utilizing a risk based approach.

  • Leverage industry security and compliance frameworks where relevant and applicable.

  • Provide security awareness training to Squarespace employees and provide mechanisms for employees to reach directly out to the security team with questions.

Data Center, Cloud Providers, and Business Continuity/Disaster Recovery

  • Squarespace leverages leading data center and cloud service providers to house our physical and cloud infrastructure.

  • Our data center and cloud service providers utilize an array of security equipment, techniques, and procedures designed to control, monitor, and record access to the facilities.

  • Squarespace leverages geographically separate data centers and cloud service provider availability zones to facilitate infrastructure and service availability and continuity.

  • Squarespace has implemented solutions designed to protect against and mitigate effects of DDoS attacks. 

  • Squarespace has dedicated teams located in multiple geographies to support our platform and supporting infrastructure.

  • Squarespace has business continuity disaster recovery plans which are tested periodically. Results of testing are leveraged to improve plans where necessary. 

Encryption 

  • Squarespace leverages transport layer security (TLS) to encrypt data in-transit between website end users and customer domains.  

  • Squarespace offers HSTS (HTTP Strict Transport Security) which only allows Squarespace customer websites to be accessed via HTTPS.

Application Level Security

  • Squarespace hashes passwords for user accounts.

  • Two-factor authentication (2FA) is available on Squarespace member accounts for an added layer of security.  

  • Squarespace utilizes Web Application Firewall (WAF) technology.

  • Regular pen testing is performed on the Squarespace platform, the results of which are analyzed and remediated (as appropriate) by our engineering and security teams.

  • Customers have the ability to assign varying levels of permissions to their website’s contributors.

  • Provide the option for customers to implement clickjack protection to protect their websites and end users from UI redress attacks (i.e. clickjacking).

Incident Response

  • In the event of an issue related to the security of the Squarespace platform, the Squarespace security team follows a formal incident response process.  

  • Squarespace analyzes identified or potential threats to Squarespace and its customers, and takes reasonable actions where necessary.

Squarespace Building and Network Access

  • Physical access to Squarespace offices and access to the Squarespace internal network is restricted and monitored.

Systems Access Control

  • Access to Squarespace systems is limited to appropriate personnel.

  • Squarespace subscribes to the principle of least privilege.

  • Squarespace’s access control policy applies to systems that Squarespace manages and maintains.  The Squarespace access control policy addresses control processes that include, but are not limited to:  

    • Account provisioning/decommissioning 

    • Authentication

    • Privileged account management

    • User identification

    • Access logging and monitoring

Security Risk Management

Threat intelligence and risk assessment are key components of Squarespace’s information security program. Awareness and understanding of potential (and actual) threats guides the selection and implementation of appropriate security controls to mitigate risk. Potential security threats are identified, and assessed for severity and exploitability. If risk mitigation is required, the security team works with relevant stakeholders and system owners to remediate. The remediation efforts are tested to confirm the new measures/controls have achieved their intended purpose.

Safeguards

Law Enforcement Request Policy

Squarespace respects the human rights of our customers and their end users. Squarespace implements a robust law enforcement request policy which is designed to ensure that all law enforcement, governmental and regulatory requests are valid and made in accordance with applicable legal process. Squarespace does not disclose data to law enforcement, regulatory or governmental bodies unless required by applicable law and objects to unlawful requests. If Squarespace receives a demand for Your Controlled Data (as defined in the Squarespace Data Processing Addendum), Squarespace will attempt to redirect the law enforcement agency or regulatory or government body to request such data directly from the relevant customer. If compelled to disclose or provide access to data to law enforcement, regulatory or governmental bodies or agencies, Squarespace will notify the relevant customer and provide them with a copy of the demand to allow them to seek a protective order or other appropriate remedy (except if such notification is legally prohibited, such as through a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). 

Data Privacy Frameworks

Squarespace transfers personal data to the US from, as applicable, the European Economic Area, Switzerland and the United Kingdom pursuant to the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Frameworks (each individually and jointly, the “Data Privacy Frameworks”). We are committed to treating personal information received from the European Economic Area, Switzerland and the United Kingdom pursuant to the applicable Data Privacy Framework in accordance with the principles thereof (the “DPF Principles”). You can find our certification here and you can learn more about the Data Privacy Frameworks (as determined based upon the country from which the personal information was received) and DPF Principles by visiting https://www.dataprivacyframework.gov/.