This page describes the technical and organizational measures Shopsy AS has in place to protect personal data and customer data in Onebase, in line with GDPR Article 32.
1. Hosting and Data Location
- Primary region: Hetzner Falkenstein, Germany (EU)
- Database: Managed PostgreSQL with daily encrypted snapshots
- File attachments: S3-compatible object storage in an EU region
- Backup region: Geographically separate region within the EEA
2. Encryption
- In transit: TLS 1.2+ with modern cipher suites for all client-server and server-subprocessor traffic
- At rest: AES-256 disk encryption on all database instances, backups and object storage
- Secrets: Environment variables and API keys are stored separately from source code and rotated as needed
3. Authentication
- One-time codes (OTP) to email as the primary sign-in method
- Passwords (where enabled) are hashed with modern algorithms via BetterAuth
- Session cookies expire after 7 days and are HttpOnly
- OTP rates are limited to 5 requests per 15 minutes per email address
4. Access Control
- All data access is filtered by tenant ID at the query layer — customers only see their own data
- Per-tenant roles: owner, admin, member
- Sysadmin access requires a dedicated user flag and is reserved for emergencies
- Every mutation is logged in the audit log with timestamp, actor and before/after snapshot
5. Backups and Recovery
- Daily encrypted database snapshots, retained for 14 days
- Point-in-time recovery (PITR) up to the last 24 hours
- Backups stored in a geographically separate region within the EEA
- Restore drills run on a regular cadence
6. Incident Response
We maintain an internal response plan covering classification, escalation and notification. On confirmed personal-data breaches we notify Datatilsynet within 72 hours where required, and affected customers / data subjects without undue delay.
7. Vulnerability Disclosure
We follow a coordinated vulnerability disclosure process. See /security and security.txt.
8. Subprocessors
The full list is available at /trust/subprocessors.
9. Certifications
We pursue formal certifications (ISO 27001, SOC 2) when customer requirements call for it. Contact us for current status and roadmap.
10. Contact
For security questions, email [email protected]. For privacy questions, use [email protected].