Skip to main content

Security & compliance

Facts, not badges.

This page is written for the person who asks the uncomfortable questions before buying: Where does the data live? Who can do what? What can be evidenced — and what can’t we do (yet)?


01 · Data path

Your data stays in the EU.

  • Database: managed PostgreSQL in the EU
  • Media storage: Cloudflare R2 with signed, expiring URLs — uploads are checked for real file types (magic-byte sniffing); disguised executables are blocked
  • Sensitive fields (e.g. tax identification numbers) are additionally encrypted per field (AES-256-GCM)
  • Transactional email via an EU subuser of the mail provider
  • Production refuses to boot without configured secure storage (fail-closed)

02 · Identity & access

Permissions come from the database — not from the token.

  • Sign-in with enforced email verification; disposable addresses rejected; rate limits against brute force
  • Short-lived Ed25519-signed tokens (~15 minutes); roles and organization are resolved server-side from the database on every request — a tampered token grants nothing
  • Eight roles with default-deny routing; tenant isolation is checked per record, not just per route
  • Companies are verified (domain proof or VAT ID/VIES) before they can send offers; namesake screening with a manual review queue
  • Creator handles count as verified only after social-login verification; follower counts are written exclusively by the API sync

03 · Traceability

Every decision leaves a verifiable trace.

  • Every change lands in a SHA-256-chained audit history per organization — manipulation, deletion or reordering are provable (tamper-evident)
  • Export with a verifiable seal; retention tier per German §147 AO (10 years) with pseudonymized user references
  • Overrides are possible but never silent: reason required, sealed before execution
  • Contracts are cryptographically sealed after both signatures; any later change invalidates signature and approval

04 · Website privacy

This website doesn’t track before you consent.

  • No analytics, marketing or tracking script loads before your consent — this is tested automatically
  • Web analytics is cookieless and active only after opt-in
  • Consent state is versioned: if the policy changes, we ask again

05 · Data-subject rights

Export and deletion are features, not tickets.

  • GDPR data export from within the account
  • Account deletion with a 14-day grace period, then permanent deletion
  • Public data-deletion instructions (also registered as the deletion URL with Meta)

What we don’t have (yet)

A security page without gaps would be a lie. This is what we lack today:

  • We currently don’t offer two-factor authentication / passkeys
  • No ISO 27001 or SOC 2 certification — instead we answer your security questionnaires directly and honestly
  • No SSO (SAML/OIDC) for company logins
  • The audit history is tamper-evident, not tamper-proof — there is no external anchoring

Contact

Ask us the uncomfortable questions.

DPA, TOMs, security questionnaire, data-protection impact assessment: write to us — you’ll get answers from the people who built the system.