How we keep your data safe

Tenant isolation

Every record in our database carries an org_id. Every query filters on it server-side. Tenants cannot see each other's data, even with a crafted URL. This is enforced by middleware that runs before every request.

Encryption

SSL/TLS for everything in transit. AES-256 for backups at rest. Passwords hashed with bcrypt (cost factor 12).

Where data lives

Database, Aiven MySQL 8.4 in Frankfurt (private VPC). Application, Render in London. Backups, daily, encrypted, retained 30 days. No data leaves the EU.

Access control

Three roles, Admin, Editor, Viewer. Magic-link login for judges (no password). Sessions expire after 14 days idle.

Incident response

Any security incident is posted to our status page within 1 hour of detection. Affected customers are emailed directly.

Penetration testing

Annual third-party pen test on Enterprise and Agency. Report available under NDA.