Your data stays in Europe.
Here is the proof.

One page for your security review: where data lives, how it is protected, the documents legal will ask for, and who processes what. If your DPO needs something that is not here, it is one email away.

Hosted in Germany GDPR compliant AES-256 encrypted EU data residency

The claims, stated precisely.

Each row says exactly what holds, and where to verify it. We would rather under-claim than decorate this page with badges.

AreaStatusVerify
GDPRFully in scope: EU-based processing, documented TOMs per Art. 32, breach notification per Art. 33/34 within 72 hours, DPA per Art. 28 for every customer.Privacy notice
Data residencyAll production data and backups stay in Germany (Hetzner, Nuremberg). No core-platform data leaves the EU/EEA.Security: infrastructure
ISO 27001The Hetzner data center hosting all data is ISO 27001 certified. Vindaris itself does not hold an organizational certification and does not claim one.Security: infrastructure
EncryptionTLS 1.2+ in transit (TLS 1.3 preferred), AES-256 at rest, bcrypt (cost 12+) for credentials, encrypted backups.Security: encryption
SubprocessorsFour, all EU-based: Hetzner (DE), Mollie (NL), Scaleway (FR), Mistral AI (FR). Advance notice before any addition, with a 14-day objection window.Subprocessor list

Everything legal will ask for.

Published where possible, one email where a signature is involved.

Data Processing Agreement

Art. 28 GDPR DPA covering processing scope, TOMs, and subprocessor terms. Email us and we return the countersigned copy.

Request the DPA

Technical and organisational measures

The Art. 32 TOMs: encryption, access control, backup, testing, and training, published in full for your vendor file.

Read the TOMs

Subprocessor list

The authoritative list of the four EU subprocessors, what each one processes, and where. Our other legal pages all point here.

See the list

Terms and legal

The contractual frame: Terms of Service, Privacy Notice, and the legal notice with company details.

Terms  |  Privacy  |  Legal notice

The full write-ups.

The security page covers infrastructure, encryption, access control, application security, monitoring, backup, incident response, TOMs, and subprocessors in nine sections. A German version is available on the same page.

Security practices Privacy notice

What every security review asks.

Where is my data stored?

All production data is stored and processed on servers operated by Hetzner Online GmbH in Nuremberg, Germany, inside the European Union. Backups stay in encrypted form in a geographically separate location within Germany. No core-platform data leaves the EU/EEA.

Is Vindaris GDPR compliant?

Yes. Processing follows the GDPR, the technical and organisational measures per Art. 32 are documented on the security page, and a Data Processing Agreement per Art. 28 is available for every customer. Incident notification follows Art. 33 and 34 (within 72 hours).

Do you use US cloud providers?

No. The platform runs on Hetzner (Germany), payments run through Mollie (Netherlands), transactional email through Scaleway (France), and AI features through Mistral AI (France). Every subprocessor is EU-based; the authoritative list is on the security page.

How do I get a signed DPA?

Email privacy@vindaris.com and we return the countersigned Data Processing Agreement. If your procurement process needs the subprocessor list or the TOMs alongside it, both are published and linked below, so you can attach them without waiting on us.

Is Vindaris ISO 27001 certified?

The Hetzner data center that hosts all Vindaris data is ISO 27001 certified. Vindaris as a company does not currently hold an organizational ISO 27001 certification, and we will not imply otherwise. What we do operationally is documented in full on the security page.

Something missing from this page? Write to privacy@vindaris.com for data protection questions or security@vindaris.com to report a vulnerability. We acknowledge security reports within 48 hours.