Trust center
Transparency is at the core of everything we do. Explore our security practices, compliance status, and the measures we take to protect your data.
Security at a glance
Data encryption
All data is encrypted in transit with TLS 1.3 and at rest with AES-256 encryption.
Infrastructure
Hosted on EU-based infrastructure with Bunny.net CDN for global performance and DDoS protection.
Access control
Multi-factor authentication, role-based access controls, and comprehensive audit logging.
Privacy by design
Minimal data collection, no tracking cookies, and privacy-first architecture from the ground up.
Incident response
Documented incident response process with 24-hour breach notification commitment.
Continuous monitoring
Automated vulnerability scanning, dependency audits, and continuous security assessments.
Compliance & regulations
We are committed to meeting and exceeding regulatory requirements. Below is our current compliance status.
GDPR
Full compliance with the EU General Data Protection Regulation, including data minimization, consent management, and data subject rights.
EPrivacy directive
Compliant with EU ePrivacy requirements. Our analytics operate without tracking cookies.
CCPA
California Consumer Privacy Act compliance with transparent data practices and user rights.
SOC 2 type II
Service Organization Control audit certification is planned as part of our security roadmap.
ISO 27001
Information security management certification is planned as part of our compliance roadmap.
Sub-processors
We believe in full transparency about the third-party services we use to deliver our platform. All sub-processors are bound by data processing agreements.
| Vendor | Purpose | Location | Jurisdiction | Data processed |
|---|---|---|---|---|
| Scaleway | Cloud infrastructure (Kubernetes, PostgreSQL, MySQL, NATS, image registry) | EU (france) | EU only | All application data |
| Bunny.net | CDN & DNS | EU (slovenia) | EU only | Request metadata, IP addresses |
| Proton | Email & workspace | Switzerland | FADP (swiss) | Email communications |
| Paddle | Payment processing (merchant of record) | UK | UK (no FISA) | Billing & payment data |
| GitHub | Code repositories | US | FISA section 702 / Cloud act | Source code, development data |
| Billy | Accounting | EU (Denmark) | EU only | Financial & invoicing data |
| Simply.com | Domain registrar (primary domains) | EU (Denmark) | EU only | Domain registration data |
| Cloudflare | Domain registrar (trademark tLDs) | US | FISA section 702 / Cloud act | Domain registration data |
We provide at least 30 days' prior notice of any changes to our sub-processors, as outlined in our Data Processing Agreement.
Our approach to data sovereignty
US-based providers are subject to FISA Section 702 and the Cloud Act, which can compel disclosure of data regardless of where it is stored. Server location alone does not protect data from these laws. FISA Cloud Act
We actively work to minimize our reliance on services subject to US jurisdiction. Our core infrastructure (hosting, databases, CDN, DNS, email, and payments) is operated exclusively by EU-based providers outside the reach of FISA and the Cloud Act. The only US-subject services we use (GitHub, Cloudflare) handle source code and domain registrations, not customer personal data.
Our long-term goal is to eliminate all dependencies on providers subject to extraterritorial US surveillance laws.
Legal & policy documents
Privacy policy
Learn how we collect, use, and protect your data while maintaining our commitment to privacy-first analytics.
Terms of service
The rules and guidelines that govern the use of our services, including your rights and responsibilities.
Data policy
Detailed information about how we process data and our approach to data minimization and security.
Data processing agreement
Our standard DPA for customers who need to comply with data protection regulations like GDPR.
Security policy
Our commitment to security best practices and how we protect your data from unauthorized access.
Trademark policy
Learn about the Infobits trademark, proper usage guidelines, and how to correctly reference our brand assets.
Report a security issue
We take security seriously and appreciate responsible disclosure. If you discover a vulnerability, please contact us directly.
[email protected]Glossary
- GDPR
- General Data Protection Regulation: the EU's comprehensive data protection law governing how personal data of EU residents is collected, processed, and stored.
- EPrivacy directive
- EU Directive 2002/58/EC regulating privacy in electronic communications, covering cookies, tracking, and confidentiality of communications.
- CCPA
- California Consumer Privacy Act: a US state law granting California residents rights over their personal data, including the right to know, delete, and opt out of its sale.
- FISA section 702
- Foreign Intelligence Surveillance Act, Section 702: authorizes US intelligence agencies to collect communications of non-US persons located outside the United States, including data held by US cloud providers, without a warrant.
- Cloud act
- Clarifying Lawful Overseas Use of Data Act (2018): a US federal law that allows US law enforcement to compel US-based technology companies to provide data stored on servers regardless of whether the data is stored in the US or on foreign soil.
- FADP (swiss)
- Federal Act on Data Protection: Switzerland's national data protection law, providing a level of protection recognized as adequate by the EU. Swiss providers are not subject to FISA or the Cloud Act.
- DPA
- Data Processing Agreement: a legally binding contract between a data controller and a data processor that outlines how personal data will be handled, required under GDPR.
- SOC 2
- Service Organization Control 2: an auditing standard that evaluates an organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy.
- ISO 27001
- An international standard for information security management systems (ISMS), providing a systematic approach to managing sensitive company information.
- TLS 1.3
- Transport Layer Security version 1.3: the latest cryptographic protocol that encrypts data in transit between a user's browser and a server.
- AES-256
- Advanced Encryption Standard with 256-bit keys: a widely trusted symmetric encryption algorithm used to protect data at rest.
- Merchant of record (moR)
- A third-party entity that handles payment processing, tax compliance, and billing on behalf of a seller, acting as the legal seller of record for transactions.
Questions about security?
Our team is ready to discuss your security and compliance requirements.