Trust center

Security isn't a feature. It's the product.

We carry the certifications regulators require, the controls auditors test, and the SLAs your finance team actually wants in writing.

Download trust pack View status page

Last 90 days · Uptime 99.998% · 0 P1 incidents

/ 01 · Certifications & attestations

Independently audited. Annually renewed.

ISO
27001

ISO/IEC 27001:2022

Information security management system, full scope, all entities.

Cert · 2025-09 · Bureau Veritas

SOC
2 II

SOC 2 Type II

Trust services criteria for security, availability, confidentiality, privacy.

Report · 2025-Q4 · Prescient

ISO
22301

ISO 22301:2019

Business continuity management — covers all critical services and data centers.

Cert · 2025-06 · Bureau Veritas

DORA

DORA-aligned

EU operational resilience: ICT risk, incident reporting, third-party register.

Effective · 2025-01-17

GDPR
+ DPF

GDPR & EU-US DPF

Data protection officer, RoPA, SCC contracts, breach notification process.

Self-certified · 2025-08

/ 02 · Infrastructure

Three regions. Active-active. Sovereign data.

Each tenant is pinned to a primary region with a hot secondary in the same legal jurisdiction. No data leaves your jurisdiction. Ever.

EU-West · Primary

EU·FRA·1

Frankfurt & Dublin · €-zone

Healthy · 99.999%

UK · Primary

UK·LON·1

London & Manchester · GBP

Healthy · 99.996%

US-East · Primary

US·IAD·1

N. Virginia & Ohio · USD

Healthy · 99.992%

Data residency

Customer data — PII, transactional, audit — stays in your tenant's jurisdiction. Backups are encrypted with tenant-scoped keys and replicated only to the secondary region you've contracted.

Encryption

TLS 1.3 in transit, AES-256-GCM at rest. Customer-managed keys via AWS KMS / GCP Cloud KMS / Azure Key Vault. Card PANs are tokenized and never traverse non-PCI services.

/ 03 · Controls

What we control. How we prove it.

/ Access

SSO via SAML/OIDC, hardware-key MFA for all engineers. Just-in-time, audited production access — 4-eye approval for write paths.

Enforced

/ Code review

Two reviewers required for production branches. Signed commits, supply-chain scanning, SBOM published per release.

Enforced

/ Pen-testing

Twice-yearly third-party penetration tests. Continuous bug bounty via HackerOne; remediation SLAs published.

2× yearly

/ Vendor risk

Subprocessor inventory with risk tiers, DPA + SCC enforcement, annual reassessment, public subprocessor register.

Reviewed

/ Logging

Immutable, append-only audit log for every privileged action. 7-year retention, separate access tier, regulator export.

7-yr

/ Backups

Point-in-time recovery to any second within 35 days. Cross-region replication. Quarterly restore drills with regulator observer.

PITR 35d

/ DR

RPO ≤ 5 minutes, RTO ≤ 1 hour. Full DR drill twice a year, half-day chaos engineering rolling weekly.

RTO 60m

/ Privacy

Named DPO, RoPA per processing activity, DSAR workflow under 30 days, automated PII redaction in logs and observability.

DPO · EU

/ 04 · Incident response

When something goes wrong — and it eventually does — here's exactly what happens.

T+0 to 15 min

Detect

Pager fires from automated probes, customer signal or insider alert. Severity classified within 5 minutes.

T+15 to 30 min

Contain

Incident commander assigned. Status page updated. Affected tenants notified via webhook + email.

T+30 min to 24 h

Resolve

Mitigation rolled out, monitoring confirms green. Regulator pre-notified for material incidents under DORA Art. 19.

T+72 h

Post-mortem

Public RCA published. Root cause, timeline, customer impact, prevention work. We share every P1.

/ 05 · Responsible disclosure

Found something? Tell us.

We run a continuous bug-bounty program with HackerOne. Critical findings are eligible for up to €25,000. We acknowledge within 24 hours, triage within 72.

Submit a finding PGP key & policy

Hall of fame · last 12 months

@nullbyte_euCritical · €25,000
@ariella.sHigh · €8,500
@k0derHigh · €6,000
@sec.maruMedium · €2,500
@whitefox.labMedium · €2,500