Security

Securing your data is a daily commitment. This page describes the architecture, technical controls and processes we apply to protect the information you entrust to us. For the legal framework and data-subject rights, see our privacy policy and our nLPD page.

Single-tenant architecture

Each customer has their own application instance (an isolated Docker container) and their own database. There is no pooling of application data between customers. In practice this means:

• No cross-tenant leakage — a faulty application request cannot expose another customer's data, because no application code ever has concurrent access to two databases.
• Individual restore — we can roll back an instance to a point in time without affecting other customers.
• Isolated upgrades — progressive rollout with per-instance rollback capability.

Encryption

Data is encrypted at rest using AES-256-GCM. We use envelope encryption: a separate master key, stored outside the database, encrypts per-customer encryption keys. Data in transit is protected by TLS 1.3 (negotiated by Caddy with Let's Encrypt). Plain HTTP connections are systematically redirected to HTTPS.

Backups — GFS strategy

We apply a Grandfather-Father-Son strategy across several horizons:

• 6-hour snapshot — retained for 48 hours.
• 24-hour snapshot — retained for 7 days.
• Weekly — retained for 30 days.
• Monthly — retained for 12 months.

Backups are encrypted end-to-end and stored on infrastructure separate from the primary server. We run a quarterly restore test to validate backup integrity.

Hosting

All of our infrastructure is hosted at Infomaniak, in Geneva, Switzerland. Infomaniak is certified ISO 27001 (information security), ISO 9001 (quality management) and ISO 14001 (environmental management). Data centres run on 100% renewable hydroelectricity. No customer data is hosted outside Switzerland during normal operations.

Authentication and sessions

• Passwords — hashed with Argon2id (winner of the Password Hashing Competition), with cost parameters reviewed and raised periodically.
• Sessions — HTTP-only + Secure + SameSite=Strict cookies, tokens rotated on privilege escalation.
• CSRF — HMAC-based protection on all mutating requests.
• MFA — TOTP (RFC 6238) available on request; mandatory on administrator accounts.

Logging and audit

Sensitive actions are logged in an immutable audit trail: sign-ins, data exports, deletions, user and role changes, configuration changes. Logs are retained for at least 12 months and can be provided to the customer upon a written, motivated request.

Infrastructure and defence in depth

• Host firewall (nftables) with a default-deny policy.
• Cloudflare WAF in front, with OWASP ruleset enabled and DDoS protection.
• Application-level rate limiting (per-IP) on authentication and signup endpoints.
• Active monitoring 24/7, anomaly alerts, automatic TLS certificate rotation.

Development and supply chain

• Mandatory code review — no change reaches production without peer review.
• Audited dependencies — automatic scanning via bun audit (Node) and go mod audit (Go) on every build.
• Automated testing — front-end (Vitest), back-end (Go testing) and E2E (Playwright) tests on every commit via our CI.
• Secrets injected through environment variables, never in source code.

Responsible disclosure

If you believe you have identified a vulnerability, please write to [email protected]. We commit to acknowledging receipt within 72 business hours and providing a first diagnosis within 10 days. Please do not disclose the vulnerability publicly until we have had an opportunity to remediate.

Governance and documents

Our privacy policy and our nLPD compliance page detail the applicable legal framework and the rights you can exercise: Privacy policy, nLPD compliance, Terms of service.