Your data stays in Europe.
Here is the proof.
One page for your security review: where data lives, how it is protected, the documents legal will ask for, and who processes what. If your DPO needs something that is not here, it is one email away.
The claims, stated precisely.
Each row says exactly what holds, and where to verify it. We would rather under-claim than decorate this page with badges.
| Area | Status | Verify |
|---|---|---|
| GDPR | Fully in scope: EU-based processing, documented TOMs per Art. 32, breach notification per Art. 33/34 within 72 hours, DPA per Art. 28 for every customer. | Privacy notice |
| Data residency | All production data and backups stay in Germany (Hetzner, Nuremberg). No core-platform data leaves the EU/EEA. | Security: infrastructure |
| ISO 27001 | The Hetzner data center hosting all data is ISO 27001 certified. Vindaris itself does not hold an organizational certification and does not claim one. | Security: infrastructure |
| Encryption | TLS 1.2+ in transit (TLS 1.3 preferred), AES-256 at rest, bcrypt (cost 12+) for credentials, encrypted backups. | Security: encryption |
| Subprocessors | Four, all EU-based: Hetzner (DE), Mollie (NL), Scaleway (FR), Mistral AI (FR). Advance notice before any addition, with a 14-day objection window. | Subprocessor list |
Everything legal will ask for.
Published where possible, one email where a signature is involved.
Data Processing Agreement
Art. 28 GDPR DPA covering processing scope, TOMs, and subprocessor terms. Email us and we return the countersigned copy.
Request the DPATechnical and organisational measures
The Art. 32 TOMs: encryption, access control, backup, testing, and training, published in full for your vendor file.
Read the TOMsSubprocessor list
The authoritative list of the four EU subprocessors, what each one processes, and where. Our other legal pages all point here.
See the listTerms and legal
The contractual frame: Terms of Service, Privacy Notice, and the legal notice with company details.
Terms | Privacy | Legal noticeThe full write-ups.
The security page covers infrastructure, encryption, access control, application security, monitoring, backup, incident response, TOMs, and subprocessors in nine sections. A German version is available on the same page.
What every security review asks.
Where is my data stored?
All production data is stored and processed on servers operated by Hetzner Online GmbH in Nuremberg, Germany, inside the European Union. Backups stay in encrypted form in a geographically separate location within Germany. No core-platform data leaves the EU/EEA.
Is Vindaris GDPR compliant?
Yes. Processing follows the GDPR, the technical and organisational measures per Art. 32 are documented on the security page, and a Data Processing Agreement per Art. 28 is available for every customer. Incident notification follows Art. 33 and 34 (within 72 hours).
Do you use US cloud providers?
No. The platform runs on Hetzner (Germany), payments run through Mollie (Netherlands), transactional email through Scaleway (France), and AI features through Mistral AI (France). Every subprocessor is EU-based; the authoritative list is on the security page.
How do I get a signed DPA?
Email privacy@vindaris.com and we return the countersigned Data Processing Agreement. If your procurement process needs the subprocessor list or the TOMs alongside it, both are published and linked below, so you can attach them without waiting on us.
Is Vindaris ISO 27001 certified?
The Hetzner data center that hosts all Vindaris data is ISO 27001 certified. Vindaris as a company does not currently hold an organizational ISO 27001 certification, and we will not imply otherwise. What we do operationally is documented in full on the security page.
Something missing from this page? Write to privacy@vindaris.com for data protection questions or security@vindaris.com to report a vulnerability. We acknowledge security reports within 48 hours.