Trust
Security
At vucavoid, protecting your data is our foremost commitment. Utilizing state-of-the-art technology and strict privacy policies, we ensure your information stays secure and private.
At vucavoid, we strive to make your compliance life easier. We understand that effective compliance management goes hand-in-hand with security. We recognize the sensitive nature of the information you entrust us with, and we treat the security of your confidential data with utmost priority.
Our platform is designed with an enterprise-grade security framework that envelops our infrastructure, applications, and endpoints. But our commitment to security doesn't stop there. We also maintain rigorous security protocols within our internal processes to ensure an extra layer of safety.
Security and compliance form the bedrock of our operations. They're not just features of our product; they define who we are as a company. We're committed to providing you with a robust, reliable solution that simplifies compliance management, without ever compromising on security. Your peace of mind is our success metric at vucavoid.
Compliance
At vucavoid, we diligently adhere to all applicable norms and standards to ensure the utmost security and protection of your data. Our payment processor, Paddle, is a certified Level 1 Service Provider. Sensitive payment information remains inaccessible to us. Additionally, vucavoid is fully compliant with both CCPA and GDPR regulations, demonstrating our commitment to safeguarding your privacy.
Application Security
At vucavoid, our foundation is built on the robust and reliable infrastructure provided by Hetzner, a leading Germany-based cloud hosting company renowned for its exceptional security standards. By partnering with such a top-tier provider, we are perfectly positioned to deliver our compliance management SaaS, ensuring the utmost protection and privacy for your sensitive data.
Hosting
Our hosting exclusively occurs within Germany, adhering to European Union standards, through our esteemed service provider, Hetzner. We invite you to review Hetzner's security documentation on their physical security measures, which showcases their commitment to providing the highest level of protection for your data in Germany. This implies that all of your data is physically stored within Germany.
Encryption
Every interaction between vucavoid users and our web application is safeguarded through encryption-in-transit using TLS, ensuring secure communication while utilizing the platform. This level of security also extends to any maintenance activities carried out by our dedicated staff.
Access to data
At vucavoid, we prioritize your privacy by adopting a restrictive data access policy. By default, we do not permit our team members or any associated third parties to access client data. Exceptions are made only upon explicit client requests for support or troubleshooting, and even then, access is strictly limited to authorized personnel who have undergone vetting procedures.
During automated scans, temporary technical access is granted to client data. However, rest assured that these scans are entirely mechanized - no human intervention, including viewing or copying of data, occurs during this process. The sole objective of these scans is to uphold the highest level of security in our application and infrastructure landscape.
Importantly, we want to emphasize that ownership of the data you upload to vucavoid always remains with you, the client. We process such data strictly in compliance with GDPR and CCPA regulations.
Data Retention
We retain your data for the duration of your contractual relationship with vucavoid. Once the contract concludes, all client data is deleted, except where laws mandate longer retention periods (e.g., accounting records).
In line with our commitment to data availability and integrity, we back up vucavoid at least daily. Due to technical requirements, these backups are retained for 60 days. This means that after the contract period has expired, client data may still exist within backup data for up to 61 days.
Individual users have the right to request their respective application admin to anonymize their accounts, which renders the account anonymized and unusable.
Please note, all deletion actions in vucavoid are irreversible, emphasizing our commitment to your privacy and data security.
Third-party sub-processors
We employ the following third party processors:
Provider | Reason | Country | Site | Access to client data |
---|---|---|---|---|
Forge, Laravel LLC | Deployment, Scripts | USA | https://forge.laravel.com/ | No |
AWS | Mail service | USA | https://aws.amazon.com/ | Technically to mails sent by the application |
Hetzner | Hosting, Housing | Germany | https://www.hetzner.com/ | Technically yes, no access allowed |
Oh Dear | Monitoring | Belgium | https://ohdear.app/ | No |
ProView | Development | Netherlands | - | No per default, only in case of relevant debugging |
Infrastructure availability
Our infrastrucutre is hosted with top-class data center operators, namely Hetzner, in Germany. Hetzner is, amongst others, providing the following availability measures:
- Uninterruptible power supplies (N+1 redundant UPS)
- 2.5 MVA diesel generator
- Power supply via two separate power paths from the substation to the low-voltage distribution
All Hetzner data center parks are connected to our backbone via redundant dark fiber connections. This ensures the availability of a data center if one of the connections fails. The n*100 Gbit/s connections provide ample bandwidth between the data centers.
More information can be found here as well as here.
Internal security measures
Personnel Security
All team members undergo background checks and must acknowledge our security policy while signing a confidentiality agreement.
Identity and Access Management
Unique logins are assigned to employees for all crucial systems, with two-factor authentication implemented whenever possible. We regularly audit access permissions and adhere to the principle of least privilege.
Hardware Security
Employee laptops are managed, equipped with encrypted hard drives, and protected by anti-malware software.
Network Security
Our internal network is secured with restricted access, segmentation, password protection, logical safeguards, traffic inspection (including IPS), and carefully reviewed external and internal firewall rules. We do not allow for remote access to our office networks.
Security Education
At vucavoid, we believe that a well-informed team is the first line of defense against potential security threats. To foster this awareness, we provide continuous security education throughout the year. Within their first two weeks, new hires attend comprehensive training sessions designed to help them identify and respond to potential threats, such as social engineering and phishing attempts.
Furthermore, employees and contractors responsible for coding are required to complete secure code training courses. This ensures the use of best practices in the creation of secure, reliable software.
Keeping abreast of the evolving threat landscape, vucavoid actively participates in several relevant security networks. This knowledge is regularly communicated internally, ensuring that our defense strategies adapt and stay at the forefront.
Application Security
Every new feature or bug fix in vucavoid undergoes rigorous review and testing phases before deployment. This thorough vetting process ensures that our updates enhance the platform's functionality without compromising security.
Vendor Security
We adopt a risk-tiered approach when evaluating our vendors' security measures. The tiering is determined based on factors such as the vendor's role, the level and duration of data access, the degree of network integration, and the vendor's overall security maturity. This comprehensive assessment enables us to uphold our commitment to data security across all aspects of vucavoid's operation.
Responsible disclosure
If you believe you have discovered a vulnerability within vucavoid's application, please submit a report to us by emailing vulnerability@vucavoid.com
vucavoid does not participate in a public bug bounty program at this time, nor do we provide monetary rewards for publicly reported findings.
If you believe your account has been compromised or you are seeing suspicious activity on your account please report it using our support contact form.
At vucavoid, we place the utmost importance on the security of user data and communication. We encourage and appreciate responsible disclosure of any discovered vulnerabilities within our service.
Adhering to responsible disclosure principles involves:
- Accessing or exposing only your individual client data.
- Abstaining from extracting information from our infrastructure, including source code, data backups, or configuration files.
- Promptly reporting any findings of remote access to our system, while refraining from accessing additional servers or elevating privileges.
- Avoiding any scanning techniques that may compromise the service experience for other customers, including excessive use of contact forms or support emails.
- Complying with the guidelines outlined in our Terms of Service.
- Maintaining confidentiality of vulnerability details until vucavoid has been notified and granted a reasonable time period to address the issue.