Squarespace

Design-forward website builder. Zero code required. The default portfolio platform for freelance journalists.

Adequate

https://www.squarespace.com · Reviewed 2026-04-03 · Editorial assessment by Mike Schneider — not an independent security audit

What should journalists know about Squarespace?

Squarespace is the most popular website builder for journalist portfolios, and for good reason: the templates are beautiful, mobile-responsive, and require zero technical skill. Four journalist-specific templates (Myhra, Carroll, Suhama, Adri) handle common portfolio layouts out of the box. Drag-and-drop editing, built-in SEO tools, free SSL, and custom domain support. Over 5 million active subscriptions across the platform. The tradeoff is control. Squarespace is a closed ecosystem — no open-source code, no self-hosting, no plugin marketplace, limited CMS flexibility compared to WordPress. You cannot export your site and run it elsewhere. If Squarespace raises prices or changes terms, your options are rebuild or pay. The 2024 Permira acquisition ($7.2B) took the company private. Founder Anthony Casalena remains CEO and largest shareholder, with Accel and General Atlantic retaining equity. Private equity ownership introduces long-term pricing risk — Permira needs returns, and the lever is revenue per customer. For newsletter-driven publishing, Ghost and Substack are stronger. For complex CMS needs, WordPress wins. For maximum design control without code, Squarespace is hard to beat. One significant incident: in July 2024, weak security defaults during the Google Domains migration (10 million domains acquired for $180M in 2023) allowed attackers to hijack domains by registering accounts with emails tied to unmigrated domains. No MFA was required. At least 12 organizations were affected, mostly in crypto. Squarespace patched the flaw, but it revealed a gap in their migration security design.

Best for

Freelance journalist portfolio sites. Personal brand websites for writers, editors, and photojournalists. Simple professional sites that need to look polished without developer involvement. Journalists who want a clip archive they control outside of publication websites.

Not for

Newsletter-first publishers — Ghost and Substack have native email tools Squarespace lacks. Newsrooms that need a full CMS with custom workflows, memberships, or complex content structures — WordPress is the better fit. Anyone who needs open-source software or the ability to self-host. Journalists on a tight budget who need a free option — WordPress.org or a free Ghost(Pro) tier costs less.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Unknown

Data is scrambled when stored on their servers

Data jurisdiction United States. Squarespace is headquartered in New York. Data transfers from the EU, UK, and Switzerland use the EU-U.S. Data Privacy Framework and its extensions. No option to choose a non-US data jurisdiction.

Where servers are located — affects which governments can request your data

Security rating Adequate

Squarespace collects account data, payment info, device/browser data, IP addresses, and site usage analytics. Does not sell personal information. Shares data with payment processors (Stripe, PayPal), advertising partners, and service vendors. De-identifies data for research purposes. Domain registration data processed per ICANN rules. PCI-DSS compliant for payment handling — sensitive card data goes directly to processors, never stored by Squarespace. Two-factor authentication phone numbers are not sold. EU/UK residents have GDPR rights; US state privacy law residents can opt out of targeted advertising data sharing.

How to protect yourself:

Enable two-factor authentication on your Squarespace account immediately — the 2024 domain hijacks exploited accounts without MFA. Use a custom domain from day one so your URL is portable if you leave Squarespace. Export your content regularly — Squarespace supports XML export, but it does not preserve design or layout. Keep a local backup of all images and media files separately. If you use Squarespace Domains as your registrar, monitor your domain settings and ensure your account email is current. Use a strong, unique password managed by a password manager — Squarespace hashes passwords but does not disclose the algorithm.

TLS encryption on all customer domains with automatic free SSL certificates. HSTS enforced. Passwords hashed. Two-factor authentication available. Web Application Firewall deployed. Regular penetration testing. PCI-DSS compliant for payment processing. EU-U.S. Data Privacy Framework certified. The July 2024 domain hijacking incident — caused by weak defaults during the Google Domains migration — is the most significant security event in Squarespace's history. The flaw was patched and MFA was mandated for domain management, but it demonstrated that security was not the top priority during a major infrastructure transition. No encryption-at-rest details are publicly disclosed. No SOC 2 or ISO 27001 certifications are publicly claimed. Closed-source platform means no independent code audit is possible. Rating reflects solid baseline security practices offset by the 2024 incident, lack of transparency on at-rest encryption, and absence of third-party security certifications.

Who Owns This

Owner Squarespace Inc. (acquired by Permira in October 2024 for $7.2B; taken private, delisted from NYSE)

Funding Private equity. Permira acquired Squarespace at $46.50/share in an all-cash transaction. Founder Anthony Casalena rolled over most of his equity and remains CEO and chairman. Accel and General Atlantic retained equity stakes. Previously publicly traded on NYSE (2021-2024). Estimated revenue ~$1B in 2024, ~$1.06B in 2025. Approximately 1,800-2,000 employees.

Business model Subscription SaaS. Revenue from website hosting plans ($16-$139/month), domain registrations, e-commerce transaction fees, and add-on services. Squarespace Domains is a standalone registrar (inherited ~10 million domains from Google Domains acquisition in 2023 for $180M). No advertising on customer sites. No commission on content — but e-commerce plans charge transaction fees on non-Squarespace payment processing.

Known issues

July 2024 domain hijacking: During the Google Domains migration, attackers exploited weak account creation defaults to hijack at least 12 domains. No email verification was required to claim a migrated domain. No MFA was enforced. Squarespace had assumed users would authenticate via social login (Google, Apple), not email registration. Attackers redirected domains to phishing sites targeting cryptocurrency users. Squarespace patched the vulnerability and mandated MFA for domain management. Closed-source platform with no public vulnerability disclosure database or CVE history. No SOC 2 or ISO 27001 certifications publicly claimed. Vendor lock-in is real: site designs cannot be exported to other platforms, only content via XML. Private equity ownership (Permira) creates long-term pricing and product direction uncertainty.

Pricing

Four plans, billed annually: Basic $16/month, Core $23/month, Plus $39/month, Advanced $99/month. Monthly billing runs 30-40% higher (Basic $25/month, Core $33/month, Plus $49/month, Advanced $139/month). All annual plans include a free custom domain for the first year. 14-day free trial on all plans. No free tier — the trial expires and you must pay to keep your site live.

This is an editorial assessment based on publicly available information as of 2026-04-03, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.