Your browser is out of date. The site might not be displayed correctly. Please update your browser.

Semrush Security Info

Bug Bounty

No technology is perfect, and Semrush believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Program Rules
All program rules are described in our Policy.
Web Application Firewall
Your requests can be blocked by the WAF solution we use. So if you get error 445, but you feel that you have found a vulnerability and you have serious reasons to believe that the vulnerability really exists - you can write to us about it on the report, we will investigate your case and maybe temporary add your IP to the white list.
If you have any questions about the program, feel free to contact us at If you want to report a vulnerability, please submit a report via HackerOne.

Report a vulnerability

Measures of security for Semrush services

This page describes the technical and organizational security measures implemented by Semrush. Semrush may update or modify these security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Semrush services.

Security of data centers

Data centers
Semrush stores its service data at the physically secure data centers in the United States. We use Amazon Web Service, Google Cloud Platform, and Equinix
Data center compliance
All data centers have all relevant best practice compliance certificates.
Learn more about compliance at AWS
Learn more about compliance at GCP
Learn more about compliance at Equinix
Physical security of data centers
Physical security of data centers is ensured through a number of measures, including strict control of personnel access to the data center premises, as well as access control of third parties. Access to data centers is regularly reviewed, activities and incidents are monitored on a 24/7 basis, CCTV recordings of physical access points to server rooms are provided, and electronic intrusion detection systems are in place.
Disaster recovery
Data centers manage climate and temperature to prevent overheating. They are equipped with automatic fire detection and suppression systems, and water leaks detection systems. In addition, electrical and mechanical equipment are monitored. All data centers are redundant and maintainable 24/7. When user data is copied electronically by Semrush outside the data center, appropriate physical security is maintained, and the data is encrypted at all times.
Uptime of the service
The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.8% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Failover protection
Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. Semrush data is backed up to multiple durable data stores and replicated across multiple availability zones. Semrush uses commercially reasonable efforts to create frequent, encrypted back-up copies of the user data and these are stored in geographically separate locations.
Where feasible, production databases are designed to replicate data between no fewer than one primary and one secondary database. All databases are backed up and maintained using industry-standard methods at a minimum.

Office security

Since Semrush conducts its business around the world, we have several offices in different parts of the world. Our offices are located in nine countries on two continents (USA, Czech Republic, Cyprus, Poland, Spain, Netherlands, Germany, Serbia and Armenia). Due to the distribution of offices, we take security very seriously.
Physical security of offices
All our offices are equipped with video surveillance and intrusion detection systems. Access to all office spaces is regulated by an access control system and only employees and visitors who have registered or have temporary access cards are authorized to enter. Company policy requires that all visitors must be accompanied by responsible employees.
Fire protection
Each office meets all fire safety requirements and is equipped with a fire alarm and fire extinguishing systems.

HR security

Confidentiality agreement
Our employees and contractors are required to sign a non-disclosure agreement before starting work.
Security awareness
We provide security awareness training for all new employees, as well as annually for all employees. Training is carried out through an electronic platform and materials and posters displayed throughout our offices.
Developer’s training
We provide training for our product developers in accordance with OWASP best practice for secure programming. Every year we hold the Capture the Flag (CTF) challenge for all developers.

Operational security

Data in transit
Semrush uses TLS encryption (also referred to HTTPS communication protocol) available everywhere on the website. Semrush HTTPS implementation uses industry-standard algorithms and certificates.
Data at rest
Stored information is protected by encryption. Data centers use AES-256 encryption for secure data storage, while employee endpoints are controlled using the MDM system. We use strong encryption methods in an effort to securely store information on our endpoints.
Access Control

Network access control mechanisms are designed to prevent network traffic that uses unauthorized protocols from reaching the Semrush services infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Semrush has implemented a uniform password policy for its services and correspondent tools and features. All passwords must fulfil defined minimum requirements and are stored in encrypted form. Users who interact with the services via the user interface must authenticate before accessing non-public user data.

Personal data is protected by an appropriate level of security designed in order to make it difficult or impossible for unauthorized persons to access such data. Personal data is intended to be used only by specific individuals on a need-to-know basis.

Application security

Separate environments
Staging, testing, and development environments are logically separated from each other. No personal or service data is used in testing or development environments.
Quality assurance
Our quality assurance staff are responsible for continuous quality testing of our product. They also conduct basic security testing.
Code review
The Security team reviews parts of code stored in Semrush source code repositories, checking for coding best practice and identifiable software flaws.
Penetration tests
Semrush conducts penetration tests every six months. The object of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. In addition, the Security team conducts partial penetration tests of new features every week.
Bug Bounty program
A Bug Bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. Semrush has implemented a Bug Bounty program in an effort to widen the available opportunities to engage with the security community and improve the service’s defenses against sophisticated attacks.
External threats protection
Semrush has implemented a Web Application Firewall (WAF) solution to protect internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly-available web applications.
Authentication options

Single sign-on: We have integration with SSO SAML. SSO can be enabled at any time by contacting product support.

Two-factor authentication: Our product supports two-factor authentication. It can be easily enabled to make accounts more secure.


Interaction with contractors
In order to protect any data processed, Semrush maintains contractual relationships with its vendors. Semrush relies on contractual agreements, privacy policies, and vendor compliance procedures in order to protect any data processed or stored by these vendors.
Supplier security verification
We have a security verification process for each supplier. This process is carried out using a mathematical model for calculating the cybersecurity rating (CSR). We continually monitor all our third-party vendors using our cybersecurity assessment platform.
Privacy laws
In our daily activities with personal data, we use all reasonable and appropriate technical and organization measures to adhere to applicable privacy law. To protect personal data, we have enacted the following internal and external policies: General Data Protection Policy, Privacy Policy, Subject Access Request policy, employee procedures for handling subject access requests, data breach procedures, and other documents including as may be required by applicable legislation. Personal data is treated as confidential throughout processing.
Personal data retention
User’s personal data is deleted once no longer necessary for the stated purposes. However, we may retain copies of such data and information to the extent required by law, for archival purposes or as created by automatic computer backup and archived as part of normal computerized archiving systems, maintaining necessary technical and organizational measures.

Incident management

System logging
Semrush has designed its infrastructure to log information about system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Semrush personnel, including security, are responsive to known incidents.
Incident response
Semrush maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Semrush takes appropriate steps to minimize user damage and unauthorized disclosure, and to prevent future incidents.
Notification in case of incident
If Semrush becomes aware of unlawful access to data stored within its services, we notify the affected users of the incident, provide a description of the steps that are being taken to resolve the incident, and provide status updates to the user, as necessary.

Security management and compliance

Security policies and procedures
We have developed policies that are communicated to all staff at least annually. We also have specific policies that are communicated to the personnel they affect. Policies cover the main areas of information security.
PCI DSS compliance
We have fully implemented and support all processes related to PCI DSS compliance. Once a year, we confirm our compliance by passing an independent QSA audit. As a result, we have achieved a PCI DSS Level 1 certificate. In addition, we have expanded the range of applicability of certain requirements of this standard to the entire company, including training for all employees, training for developers, data transfer and storage.
Last revised: October 26, 2021