Security

All customer data is hosted exclusively in the European Union on Hetzner Online GmbH infrastructure in Germany. We do not use US-based cloud providers for data storage.

• •Location: Hetzner data centers, Germany (EU)
• •Jurisdiction: German and EU law applies
• •Data residency: Your RoI data never leaves the EU

• •Authentication: Secure password hashing with bcrypt, session management with secure cookies
• •Authorization: Role-based access control ensures users only access their own organization's data
• •Admin access: Production access is limited to essential personnel with audit logging
• •Data isolation: Customer data is logically separated at the database level

DoraPass is designed with privacy by default:

• •Data Processing Agreements available upon request
• •Data subject rights supported (access, rectification, erasure, portability)
• •Purpose limitation — we only process data to provide the service
• •Data minimization — we collect only what's necessary

We maintain incident response procedures aligned with GDPR requirements:

• •Detection: Automated monitoring and alerting for security events
• •Response: Documented procedures for containment and investigation
• •Notification: Supervisory authority notification within 72 hours where required
• •Communication: Affected customers notified without undue delay for high-risk incidents

We are continuously improving our security posture:

• ✓EU-only data hosting
• ✓TLS encryption in transit
• ✓Encryption at rest
• ✓GDPR-compliant data handling
• ○SOC 2 Type I certification (planned)
• ○Penetration testing by third party (planned)