Security & your data.
Your API keys, your WordPress password and your Search Console token are encrypted, stored apart from your account data, and never sent back to your browser. Here's exactly how, and what a share link exposes.
You hand ScoutRival some genuinely sensitive things: an AI provider key that can spend your money, a password that can publish to your website, and a token that can read your Search Console. This page says exactly where each of those lives and what leaves our servers.
Where your credentials live
Three kinds of secret pass through ScoutRival:
- Your AI provider API keys — OpenAI, Anthropic, Google, OpenRouter.
- Your WordPress application password — the credential that lets us publish an article.
- Your Google Search Console token — the OAuth token that lets us read your traffic.
All three are treated the same way:
Encrypted before they're written
Every one is encrypted with AES-256-GCM before it touches storage. What sits at rest is a ciphertext blob, not your key.
Stored apart from your account data
Credentials live in their own records, separate from your brands, briefs and content — and those records carry no read permissions for anyone, including you. Only the server, holding the decryption key, can ever open them. A logged-in browser session cannot read them, even its own.
Decrypted only in memory, only to do the job
A key is decrypted at the moment we call your AI provider or publish your post, and it's gone when the request ends. It is never written back out in the clear.
Why we never show a key twice
Once you've pasted a key, it is never sent back to your browser — not on the page that stores it, not in an API response, not ever. What you see afterwards is a masked stub: enough to recognise which key it is, and nothing more.
// the key you pasted key: "sk-…·a3F9" // masked. the real value never leaves the server again status: "connected"
If you lose the key, we can't give it back to you — we genuinely don't have it in readable form. You'd generate a fresh one at your provider and paste that. That's an inconvenience by design: a system that can show you your key can be tricked into showing someone else's.
The same applies to your WordPress application password. Lose it and you create a new one in WordPress; there's nothing for us to reveal.
Search Console is read-only
Connecting Google Search Console grants ScoutRival a read-only scope, and only that. We can read your clicks, impressions, positions and queries. We cannot submit a sitemap, request indexing, remove a URL, change a setting, or add or remove a user on your property.
Google shows you the scope on its own consent screen before you approve it — read it there; don't take our word for it. You can revoke the connection at any time, from ScoutRival or from your Google account. See connect Google Search Console.
What a public share link exposes
You can share a brief or a BlogCraft article as a public link — handy for a client who shouldn't need a login. Be clear about what that means:
- Anyone with the URL can open it. There's no password and no sign-in. Treat the link itself as the secret: if it's forwarded, it works for whoever receives it.
- It's read-only. A visitor sees a copy. They can't edit it, can't get into your account, and can't see any other brand, brief or article.
- It's noindex. The page tells search engines not to index or follow it, so a share link doesn't quietly turn your competitive intelligence into a search result.
- It's revocable. Revoke the link and it stops working immediately, for everyone, including people who already have it.
Details in sharing a brief with a client and sharing & exporting.
Your account
- Two-factor authentication is available and worth turning on — it's the single biggest thing you can do for your own account. Set it up under password, 2FA & sessions.
- Active sessions are listed there too, and you can sign out other devices.
- Your data is scoped to you. Brands, briefs, articles and connections are owner-scoped on the server, on every read — not just hidden in the interface.
- Payments never touch us. Card details are entered on Stripe's own pages. ScoutRival never receives or stores a card number. See payment methods & invoices.
What we don't do with your content
We don't train on your content. Your brand profile, your voice samples, your briefs and your articles are used to produce your output, for your account. They aren't fed into a model that serves anyone else.
When you connect your own AI key, your content is sent to your provider under your account, and that provider's terms are the ones that apply — worth reading if it matters to you.
If you believe you've found a security issue, email us and say so in the subject line. We'd much rather hear it from you than from someone else.