Security

Last updated: 1 May 2025

1. Infrastructure and data residency

All Vindaris data is stored and processed exclusively on servers operated by Hetzner Online GmbH in their Nuremberg data centre (DE-NBG), Germany. The data centre is located within the European Union. No data is transferred to or stored in data centres outside the EU/EEA in connection with the core platform.

Hetzner's Nuremberg facility is ISO 27001 certified and operates to high physical security standards including 24/7 CCTV, access control, and redundant power.

2. Encryption

In transit: All communication between your browser/client and Vindaris is encrypted using TLS 1.2 or higher (TLS 1.3 preferred). HTTP requests are automatically redirected to HTTPS.
At rest: All customer data stored on disk is encrypted using AES-256. Database backups are encrypted before storage.
Passwords: User passwords are hashed using bcrypt with a minimum cost factor of 12. Plaintext passwords are never stored or logged.

3. Access control

Production access is restricted to named engineers via SSH with key-based authentication and multi-factor authentication (MFA).
Access to production systems follows the principle of least privilege. Access rights are reviewed quarterly and revoked immediately upon role change or termination.
All administrative actions on production infrastructure are logged and auditable.

4. Application security

We conduct regular code reviews with a focus on OWASP Top 10 vulnerabilities.
Dependencies are monitored for known vulnerabilities using automated tooling and updated promptly.
Input validation and output encoding are applied throughout the application to mitigate injection attacks and XSS.
CSRF protection is applied to all state-changing requests.
Rate limiting is applied to authentication endpoints to mitigate brute-force attacks.

5. Monitoring and logging

We operate continuous monitoring of our infrastructure and application layer, including:

Uptime and availability monitoring with automated alerting
Error rate and latency monitoring
Security event logging (authentication events, access attempts, anomalies)
Log retention: security logs are retained for 90 days

6. Backup and recovery

Database backups are taken daily and retained for 30 days.
Backups are stored in encrypted form in a geographically separate location within Germany.
Recovery procedures are tested at least quarterly.

7. Incident response

In the event of a security incident affecting personal data, we will notify affected customers within 72 hours of becoming aware of the breach, in accordance with Art. 33 and 34 GDPR, where applicable. Notifications will include a description of the breach, its likely consequences, and the measures taken or proposed to address it.

To report a security vulnerability, contact us at security@vindaris.com. We aim to acknowledge reports within 48 hours.

8. Technical and organisational measures (TOMs), Art. 32 GDPR

We implement the following TOMs to ensure appropriate security of personal data:

Pseudonymisation and encryption of personal data
Confidentiality, integrity, availability, and resilience of processing systems
Ability to restore availability of personal data in a timely manner in the event of an incident
Regular testing, assessment, and evaluation of the effectiveness of technical and organisational measures
Physical access controls at the Hetzner data centre
Logical access controls with MFA for all administrative access
Data minimisation — we collect only the data necessary to provide the service
Staff training on data protection and information security

9. Subprocessors

This is the authoritative list of subprocessors we engage to provide the platform. Each subprocessor is bound by a data processing agreement that imposes confidentiality, security, and limited-purpose obligations. Our Privacy Notice, Terms of Service, and GDPR page all point here, so this list is the single source of truth.

Hetzner Online GmbH — hosting, storage, database, backups. Industriestr. 25, 91710 Gunzenhausen, Germany. Data centre: Nuremberg / Falkenstein, Germany (EU/EEA). Processes: all User Content and account data.

Mollie B.V. — payment processing, mandate management, recurring billing, refunds. Keizersgracht 126, 1015 CW Amsterdam, Netherlands. Processes: billing name, billing address, e-mail, payment instrument data (card / SEPA / iDEAL etc.), Mollie customer and subscription identifiers. Mollie is an independent controller for fraud prevention and regulatory purposes; see mollie.com/privacy.

Scaleway SAS — transactional and digest e-mail delivery (Scaleway Transactional Email, TEM). 8 rue de la Ville l'Évêque, 75008 Paris, France. Data centre: Paris, France (EU/EEA). Processes: recipient e-mail address, e-mail content, delivery metadata. See scaleway.com/privacy-policy.

Mistral AI SAS — large-language-model processing for AI-assisted features (alignment suggestions, narrative detection, work-graph extraction, conflict resolution help). 15 rue des Halles, 75001 Paris, France. Processes: only the content and metadata necessary to generate a response for the requested feature. Mistral does not train its models on data submitted via its API. Processing takes place in the European Union. See mistral.ai/terms.

We will give reasonable advance notice of new subprocessors before they begin processing personal data. To object to a new subprocessor, contact privacy@vindaris.com within 14 days of notification.

Deutsche Version