Data & Security

MantleWP is built for agencies who manage client sites. We take data handling seriously. Here's exactly what we collect, how we store it, and what we don't touch.

What We Collect

The MantleWP plugin collects technical metadata about your WordPress installations to power health scores, uptime monitoring, and automated reports. This is what leaves your site:

Data Point	Purpose
WordPress version	Security & maintenance tracking
PHP version	Compatibility & performance insights
MySQL version	Database health & upgrades
Server software (nginx, Apache)	Server-side performance tracking
Active theme (name, version)	Theme maintenance & security status
Plugin inventory (names, versions, update status)	Dependency tracking & security alerts
SSL certificate status & expiry date	SSL monitoring & renewal alerts
Database size	Growth tracking & optimization hints
WordPress Site Health scores	Overall site health reporting
Uptime status & response time	Availability monitoring & performance

This data is collected daily and powers your automated client reports. No personal information. No user-generated content. Pure technical metadata.

What We Never Collect

User content — Posts, pages, comments, custom post types
Customer data — Names, emails, phone numbers from your site's database
Form submissions — Contact forms, checkout data, inquiry data
WooCommerce orders — Purchases, transaction history, customer accounts
Email addresses — From site visitors, subscribers, or customer lists
IP addresses — Of site visitors or page traffic
Admin passwords — Or any credentials
File contents — Theme files, plugin code, configuration files
Media library items — Images, videos, or other attachments

How Data Flows

Here's the complete journey of your data through MantleWP:

1. Collection (Your Site)

The MantleWP plugin runs on your WordPress site via WP-Cron. It reads metadata from wp_options, wp_plugins, and server information. No queries touch user data.

2. Transmission (HTTPS POST)

Data is encrypted via TLS/HTTPS and sent to the MantleWP API endpoint. Authenticated using a site-specific API key in the X-MantleWP-Key header.

3. Storage (PostgreSQL)

Data is stored in our PostgreSQL database on isolated DigitalOcean infrastructure in SFO3. Database access is restricted to the MantleWP application server only.

4. Report Generation (Server-Side)

When you generate a report, Puppeteer renders the report template server-side with your data and branding. The PDF is created in memory, sent to you or your clients via email, then cleared.

5. Delivery (Email via Resend)

Reports are sent via Resend's email service over HTTPS. Email is not stored on MantleWP servers unless you request report history retention.

Encryption & Storage

In Transit: All data between your WordPress site and MantleWP travels over HTTPS/TLS 1.2+. Your API key is sent in the X-MantleWP-Key header, encrypted in transit.
At Rest: API keys are encrypted in the database using industry-standard encryption. Database credentials and Stripe keys are encrypted. Configuration is encrypted.
Backups: Daily encrypted backups of the PostgreSQL database are retained with multi-tier retention: 7 daily, 4 weekly, 3 monthly. Backups are stored on DigitalOcean Spaces with encryption enabled.
Access Control: Only the MantleWP application server has direct database access. No human access without authentication. Logs of data access are maintained for audit purposes.

Data Retention

Uptime pings: Retained for 90 days, then automatically deleted
Health check history: Retained for 365 days, then automatically deleted
Generated reports: Retained until you delete them from your dashboard
Account data: After cancellation, all data associated with your account is deleted within 30 days
API keys: Invalidated immediately upon site removal; old keys are purged from logs after 180 days

GDPR Compliance

MantleWP is GDPR-compliant. Here's why:

No personal data from site visitors: We collect only technical metadata about WordPress installations, not data about people visiting your site.
No user consent required: Because we don't process personal data, cookie consent banners on your site don't affect MantleWP's operation.
Data controller: You (the agency) are the data controller. MantleWP is a processor acting on your instructions.
Right to deletion: You can delete all data associated with a site or your account at any time in the dashboard.

See our full Privacy Policy for complete GDPR details, including our Data Processing Agreement.

Your Responsibilities

Keep API keys secure: Treat your site API key like a password. Don't share it publicly or commit it to version control.
Inform your clients: Let your clients know in your care plan agreement that you use MantleWP for monitoring and reporting. Transparency builds trust.
Update the plugin: Keep the MantleWP WordPress plugin up to date. We ship security patches regularly.
Review access logs: Periodically check which sites are connected and remove any disconnected sites from your dashboard.

Want more details?

Privacy Policy — Complete privacy and data handling practices
Terms of Service — Legal agreement and disclaimers
FAQ — Common questions about MantleWP
WordPress Plugin Guide — Installation and configuration