Security & Privacy

• TLS 1.2/1.3 encryption on all connections (HSTS enabled)
• Industry-standard password hashing with high cost factor
• Short-lived authentication tokens with automatic expiry
• All database connections encrypted in transit

• Hosted in EU (Germany) — GDPR-compliant data center
• Containerized microservice architecture with network isolation
• Encrypted database with in-memory caching layer
• Automated daily backups with 30-day retention
• Enterprise CDN with DDoS protection and Web Application Firewall

• OWASP Top 10 penetration tested (April 2026) — score 9.5/10
• SQL injection, XSS, CSRF, IDOR, path traversal — all verified secure
• Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS) enforced
• Rate limiting with brute-force protection (auto-lockout after failed attempts)
• Input validation with schema enforcement on all API endpoints
• Full security header suite (6 headers active on all responses)
• Admin routes require database-level role verification
• Zero information disclosure — no stack traces, no server versions, no technology fingerprints

• Row-level security — users can only access their own data
• AI processing via EU-compliant providers — your data is never used for training
• On-premise AI fallback available for sensitive workloads
• No third-party analytics or tracking pixels
• Data deletion available on request within 48 hours

• GDPR compliant — data stored exclusively in EU (Germany)
• Privacy policy and cookie consent implemented
• Data Processing Agreement (DPA) available for enterprise clients
• Right to data portability — export your data anytime in standard formats
• Incident response: notification within 72 hours per GDPR Art. 33