1. Approach

We follow a risk-based security model with least-privilege access, defense-in-depth and secure-by-default configuration.

2. Infrastructure

• Hosting & DB in EU via trusted providers (see Sub-processors).
• Encryption in transit (HTTPS/TLS). Encryption at rest at provider level.
• Backups & disaster-recovery procedures (best-effort during Beta).

3. Application Security

• RBAC & Row-Level Security for tenant isolation.
• Audit trails for sensitive actions; basic anomaly monitoring.
• No plaintext passwords; modern password hashing via provider.

4. Secure Development

• Dependency patching, minimal attack surface, code reviews where applicable.
• Secrets management via platform secret stores; no secrets in VCS.

5. Incident Response

We investigate security incidents, limit impact, and notify affected customers as required by law.

6. Customer Responsibilities

• Use strong, unique passwords; manage user access; monitor your workspace.
• Maintain off-platform backups for critical data (no guaranteed data recovery).