Legal

Security Policy

Last updated: 2026-05-13 Effective: 2026-05-13

Security Policy — Delivery Zone

Version: 1.0 Last updated: 2026-05-13 Effective date: 2026-05-13

We take the security of our platform and your data seriously. This page describes the technical and organisational measures we have in place. We aim to be transparent without disclosing details that would assist attackers.

1. Our Security Approach

Security is a core design concern, not an afterthought. We apply the principle of least privilege, use encryption by default, and follow security-by-design practices in our development process. We aim to comply with GDPR Article 32 obligations to implement "appropriate technical and organisational measures" to protect personal data.

2. Infrastructure Security

  • The API is hosted on EU-region cloud infrastructure with network-level isolation between

tiers.

  • All connections to the API and dashboard use TLS 1.2 or higher. Unencrypted HTTP connections

are redirected to HTTPS.

  • The database is not publicly accessible; it is only reachable from the application tier.
  • Application containers are run as non-root users where technically possible.
  • Infrastructure secrets (database credentials, signing keys, API keys for third-party services)

are managed as environment secrets and are not stored in source code or version control.

3. Authentication and Secrets

  • Passwords: Stored as salted bcrypt hashes. Plaintext passwords are never stored, logged,

or transmitted after initial receipt.

  • API key secrets: Hashed using HMAC-SHA256 before storage. The plaintext secret is shown

once at creation and cannot be recovered by us or by you.

  • Session management: Authentication uses HttpOnly, Secure, SameSite cookies for session

tokens to reduce cross-site scripting (XSS) exposure and cross-site request forgery (CSRF) risk.

  • Refresh tokens: Rotated on each use and have a limited lifetime. Revoked on logout.
  • Email verification: Required for all new accounts before access is granted.
  • Multi-factor authentication (MFA): TOTP-based MFA is available for all accounts to add

a second layer of protection.

4. Access Controls

  • Role-based access control (RBAC) is enforced at the API level for all dashboard operations.
  • All authenticated endpoints verify organisation membership and permission level before

executing.

  • Platform administration access is separately gated and is not accessible via the standard

customer API surface.

  • API keys are scoped to an organisation and can be revoked individually.

5. Logging and Monitoring

  • Structured logs are generated for all significant security events: logins, token issuance

and revocation, API key creation and revocation, failed authentication attempts.

  • Logs do not contain: plaintext passwords, full API key secrets, unmasked payment card data,

or end-consumer personal data beyond what is listed in our Privacy Policy.

  • Rate limiting is applied to authentication endpoints to limit brute-force attempts.
  • Logs are retained for up to 12 months.

6. Data Protection in Transit and at Rest

  • All data in transit between clients, the API, and the database is encrypted via TLS.
  • Sensitive configuration values are stored as environment secrets outside the application

container.

  • ASP.NET Data Protection keys (used for cookie and token encryption) are stored in a

protected volume separate from the application container.

7. Responsible Disclosure

If you discover a security vulnerability in our service, please report it to us privately before disclosing it publicly. We ask for a reasonable disclosure window (at least 14 calendar days) to assess and remediate the issue.

Security contact: [email protected]

Please include:

  • A description of the vulnerability.
  • Steps to reproduce it.
  • The potential impact, in your assessment.
  • Your contact details (optional).

We do not take legal action against good-faith security researchers who comply with responsible disclosure principles. We do not offer a bug bounty programme at this time.

8. Customer Security Responsibilities

You are responsible for:

  • Keeping your account credentials (email and password) confidential.
  • Enabling MFA on your account for additional protection.
  • Keeping your API key secrets confidential and not exposing them in public code repositories,

frontend JavaScript, or other publicly accessible locations.

  • Revoking API keys immediately if you suspect they have been compromised.
  • Notifying us promptly at [email protected] if you believe your credentials or keys

have been compromised.

  • Implementing secure coding practices in your API integration (HTTPS-only, secrets management,

input validation on your side).

9. Incident Response

In the event of a confirmed security incident or personal data breach:

  • We will investigate and contain the incident as quickly as possible.
  • We will notify affected customers and, where required by GDPR, the Finnish Data Protection

Ombudsman (Tietosuojavaltuutetun toimisto) within 72 hours of becoming aware of a breach.

  • We will provide updates on the nature and scope of the incident as information becomes

available.

  • We will conduct a post-incident review and implement remediation measures.

10. No Guarantee of Perfect Security

Despite our efforts, no system connected to the internet is completely immune to security threats. We implement reasonable technical and organisational measures but cannot guarantee absolute security or zero downtime in the event of an attack.

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will fulfil our notification obligations under GDPR Article 33 (supervisory authority) and Article 34 (data subjects), as appropriate.

11. Contact

Security vulnerabilities: [email protected] Privacy / data breaches: [email protected] Full legal contact information