Security & compliance
Facts, not badges.
This page is written for the person who asks the uncomfortable questions before buying: Where does the data live? Who can do what? What can be evidenced — and what can’t we do (yet)?
01 · Data path
Your data stays in the EU.
- Database: managed PostgreSQL in the EU
- Media storage: Cloudflare R2 with signed, expiring URLs — uploads are checked for real file types (magic-byte sniffing); disguised executables are blocked
- Sensitive fields (e.g. tax identification numbers) are additionally encrypted per field (AES-256-GCM)
- Transactional email via an EU subuser of the mail provider
- Production refuses to boot without configured secure storage (fail-closed)
02 · Identity & access
Permissions come from the database — not from the token.
- Sign-in with enforced email verification; disposable addresses rejected; rate limits against brute force
- Short-lived Ed25519-signed tokens (~15 minutes); roles and organization are resolved server-side from the database on every request — a tampered token grants nothing
- Eight roles with default-deny routing; tenant isolation is checked per record, not just per route
- Companies are verified (domain proof or VAT ID/VIES) before they can send offers; namesake screening with a manual review queue
- Creator handles count as verified only after social-login verification; follower counts are written exclusively by the API sync
03 · Traceability
Every decision leaves a verifiable trace.
- Every change lands in a SHA-256-chained audit history per organization — manipulation, deletion or reordering are provable (tamper-evident)
- Export with a verifiable seal; retention tier per German §147 AO (10 years) with pseudonymized user references
- Overrides are possible but never silent: reason required, sealed before execution
- Contracts are cryptographically sealed after both signatures; any later change invalidates signature and approval
04 · Website privacy
This website doesn’t track before you consent.
- No analytics, marketing or tracking script loads before your consent — this is tested automatically
- Web analytics is cookieless and active only after opt-in
- Consent state is versioned: if the policy changes, we ask again
05 · Data-subject rights
Export and deletion are features, not tickets.
- GDPR data export from within the account
- Account deletion with a 14-day grace period, then permanent deletion
- Public data-deletion instructions (also registered as the deletion URL with Meta)
What we don’t have (yet)
A security page without gaps would be a lie. This is what we lack today:
- We currently don’t offer two-factor authentication / passkeys
- No ISO 27001 or SOC 2 certification — instead we answer your security questionnaires directly and honestly
- No SSO (SAML/OIDC) for company logins
- The audit history is tamper-evident, not tamper-proof — there is no external anchoring
Contact
Ask us the uncomfortable questions.
DPA, TOMs, security questionnaire, data-protection impact assessment: write to us — you’ll get answers from the people who built the system.