Security and Compliance

Effective September 9, 2024

Translation of the original: Sicherheit & Compliance

This document outlines our commitment to protecting the security and privacy of the data you entrust to us. It provides detailed information on how we host and manage our services, our compliance with international security standards, our privacy practices, and the measures we take to ensure the integrity and availability of our systems.

Hosting

Our application components are hosted on multiple services:

Hetzner: Provides the server infrastructure.

Authentication

Users can only access our services with email/password authentication. Currently, we do not support Google OAuth 2.0 or two-factor authentication.

Session Management

Session tokens are automatically renewed unless explicitly revoked by the user. We implement a lockout policy for invalid passwords to enhance security.

Compliance Certifications

Our servers and infrastructure providers comply with key security standards:

Hetzner: ISO 27001 certified. More information

Data Storage

All data is stored in a database on our servers, with regular backups performed. The servers are all located in Germany.

Security Practices and Measures

Data Deletion: After deletion, user accounts are removed from our systems within 30 days. All backups are deleted within three months, in compliance with legal retention obligations and timelines.
Data Encryption: All data is encrypted during transmission using SSL. However, data stored on our systems is not encrypted at rest but is protected by strong authentication and security protocols.
Third-Party Access: Access to live user data is strictly limited to authorized employees. Confidentiality agreements are in place with contractors and business partners, and wherever possible, they work with test or anonymized data to prevent unauthorized access to sensitive information.

Backup and Recovery

Our data recovery strategy includes:

Hourly Snapshots: Taken every hour with a retention period of 3 months.

System Integrity

Testing: We conduct automated tests before each system update to ensure the integrity of critical functions.

For more details on the third-party services we use that may receive personal data, please refer to our .