Security & Compliance

How we protect your data and your customers' data.

Last updated: April 6, 2026

100% EU Infrastructure

Your data never leaves Europe

Every layer of deploybase runs on European infrastructure. Not just legally — physically. Your data is stored, processed, and delivered exclusively within the European Economic Area.

Compute & Storage Scaleway, Paris
CDN Delivery Bunny.net, Slovenia
Authentication Self-hosted (Scaleway)
Payments Vatly, EU
Email Lettermint, EU
International transfers None. Zero.

Infrastructure security

Encryption in transit

TLS 1.2+ for all communications. No unencrypted connections.

Encryption at rest

Database and storage encrypted via Scaleway managed encryption.

Self-hosted authentication

Zitadel (OIDC/PKCE) on our own infrastructure. No third-party credential access.

Build isolation

Each build runs in an isolated Kubernetes pod with resource limits, destroyed after completion.

Multi-tenant isolation

All database queries scoped by team. Enforced at application layer on every request.

Secrets management

Environment variables encrypted via Scaleway Secret Manager. Never logged or exposed.

ISO 27001 infrastructure

Hosted in Scaleway datacenters with ISO 27001, SOC 2, and HDS certifications.

Rate limiting

Per-team and per-IP rate limiting to prevent abuse and ensure fair usage.

Access control

deploybase uses role-based access control with four levels: Owner, Admin, Member, and Viewer. Each role has progressively restricted permissions.

  • Passkey support for passwordless authentication (WebAuthn)
  • HttpOnly, Secure, SameSite session cookies
  • One identity per user — no shared accounts
  • API keys with SHA-256 hashing and audit logging

Data protection (GDPR)

We comply with the General Data Protection Regulation (GDPR / AVG) as both a data controller and processor.

  • Data subject rights: Export, rectify, or delete your data at any time through account settings or by contacting us.
  • Breach notification: Within 72 hours as required by GDPR Article 33.
  • Data minimization: We collect only what is necessary to provide the service.
  • No profiling: No automated decision-making, no data sold to third parties.
Privacy Policy Cookie Policy Data Processing Agreement Terms of Service

Sub-processors

We use a limited number of trusted EU-based processors. We have Data Processing Agreements in place with each.

ProcessorPurposeLocation
ScalewayInfrastructure hosting (servers, storage, Kubernetes)Paris, France
Bunny.netCDN content deliveryLjubljana, Slovenia
VatlyPayment processing (Merchant of Record)EU
LettermintTransactional email deliveryEU

Authentication (Zitadel) is self-hosted on our own infrastructure — your credentials are never shared with a third party. We will notify customers at least 30 days before adding a new sub-processor.

No tracking

No analytics tracking. No advertising cookies. No third-party tracking scripts. We do not profile users, sell data, or use your data for AI training.

We use only functional cookies (session and CSRF protection) that are strictly necessary and exempt from consent requirements under Dutch law.

Compliance roadmap

We are a small, bootstrapped company. We prioritize genuine security measures over expensive certifications. As we grow, we will pursue formal audits — and update this page when we do.

Current

  • GDPR compliant (processing register, data subject rights, breach notification)
  • ePrivacy compliant (functional cookies only, no consent banner required)
  • EU Data Act cloud switching (30-day data export on termination)
  • All data in EU, zero transatlantic data transfers
  • Vulnerability disclosure policy
  • Public status page

Planned

  • Automated dependency vulnerability scanning in CI
  • SOC 2 Type I readiness assessment
  • Bug bounty program

Future

  • SOC 2 Type II audit
  • ISO 27001 certification
  • CSA STAR self-assessment

Vulnerability disclosure

We appreciate responsible security research. If you discover a vulnerability in deploybase, please report it to us.

Email
security@deploybase.eu
Response time
We will acknowledge your report within 3 business days
Resolution target
Critical issues within 14 days
Machine-readable
security.txt

We will not pursue legal action against security researchers who act in good faith, follow responsible disclosure practices, and give us reasonable time to address the issue.

Contact

For security or compliance questions:

Security
security@deploybase.eu
General
support@deploybase.eu
Postal address