Skip to main content

Security

We protect your data through multiple layers of defense, industry best practices, and continuous monitoring.

Application Security

OWASP Top 10 Compliance

We implement protections against the OWASP Top 10 security risks, including:

  • Injection attacks (SQL injection, command injection, etc.)
  • Broken authentication and session management
  • Cross-site scripting (XSS)
  • Insecure direct object references
  • Security misconfigurations
  • Sensitive data exposure
  • Missing function level access control
  • Cross-site request forgery (CSRF)
  • Using components with known vulnerabilities
  • Unvalidated redirects and forwards

Secure Development Practices

  • Regular security code reviews and static analysis
  • Vulnerability scanning and penetration testing
  • Secure coding standards and training
  • Dependency management and vulnerability tracking

Infrastructure Security

Defense in Depth

Our infrastructure uses multiple security layers to protect against threats.

A web application firewall (WAF) guards against common web attacks and exploits, with real-time threat detection, bot protection, rate limiting, and custom rules for application-specific threats.

At the network level, we enforce isolation and segmentation, least privilege access controls, and intrusion detection and prevention systems. We run regular security assessments and monitoring across the stack.

For containers, we use secure base images with runtime protection, vulnerability scanning, resource limits, and regular patching.

Data Protection

Encryption

We encrypt all stored data using industry-standard algorithms, with secure key management, key rotation, and database-level encryption for sensitive information.

All data in transit is protected with TLS encryption. This covers API communications, certificate management, and end-to-end encryption for sensitive operations.

Data Residency and Privacy

All data is hosted in Sweden and stays within the EU. Our infrastructure runs on Hetzner Cloud, an EU-owned and operated provider headquartered in Germany, with no corporate ties to non-EU jurisdictions. Hetzner's data centers are ISO 27001-certified with strict physical and logical access controls.

This means we are not subject to the US CLOUD Act, FISA, or similar non-EU legislation. We maintain full GDPR compliance, practice data minimization (we only collect and store what is necessary), and support complete data removal on request.

Access Controls

Authentication & Authorization

  • Multi-factor authentication (MFA) support
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews and audits

Administrative Security

  • Secure administrative access procedures
  • Audit logging for all administrative actions
  • Separation of duties for critical operations
  • Regular credential rotation and management

Monitoring & Incident Response

Continuous Monitoring

  • 24/7 security monitoring and alerting
  • Automated threat detection and response
  • Regular security metrics and reporting
  • Performance and availability monitoring

Incident Response

  • Dedicated incident response procedures
  • Rapid containment and remediation capabilities
  • Post-incident analysis and improvement
  • Communication protocols for security events

Cloud Security

Operations

Experienced cloud engineers maintain our security posture, covering cloud security architecture, threat modeling and risk assessment, security automation, and compliance requirements. We apply regular security updates across all managed services.

Compliance & Standards

Industry Standards

We align our security practices with recognized industry frameworks:

  • ISO 27001 security management principles
  • OWASP secure development guidelines
  • NIST cybersecurity framework
  • EU GDPR privacy and data protection compliance

Regular Assessments

  • Periodic security audits and assessments
  • Vulnerability scanning and penetration testing
  • Compliance reviews and gap analysis
  • Third-party security validations

Transparency and Communication

We share security updates regularly, follow clear incident notification procedures, and welcome open dialogue about our security practices. We improve continuously based on feedback.