Log inGet started free
Legal

Security

How we keep your business data safe.

Last updated: 1 April 2025

Infrastructure

Servora is hosted on Amazon Web Services (AWS) in EU data centres (eu-west-1). We use AWS-managed services including RDS for databases and S3 for file storage, both with encryption at rest enabled.

Encryption

  • All data in transit is encrypted using TLS 1.3.
  • All data at rest is encrypted using AES-256.
  • Database backups are encrypted and stored separately from primary data.
  • Passwords are hashed using bcrypt with a work factor of 12.

Access controls

  • Production access is restricted to authorised engineering staff only.
  • All production access requires multi-factor authentication (MFA).
  • Access is granted on a least-privilege basis and reviewed quarterly.
  • All administrative actions are logged in an immutable audit trail.

Data backups

Database snapshots are taken every 15 minutes and retained for 30 days. Full backups are taken daily and retained for 90 days. Backup restoration is tested monthly.

Application security

  • Dependency scanning runs automatically on every code change.
  • Static analysis and security linting are enforced in our CI pipeline.
  • We follow OWASP Top 10 guidelines in our development process.
  • All user inputs are validated and parameterised queries are used throughout.

Compliance

We are working towards SOC 2 Type II certification. Our platform is GDPR-compliant for EU customers. Data Processing Agreements (DPAs) are available on request for customers who require them.

Incident response

We maintain a documented incident response plan. In the event of a confirmed data breach affecting your account, we will notify you within 72 hours in accordance with GDPR obligations.

Responsible disclosure

If you discover a security vulnerability, please report it to [email protected]. We ask that you give us reasonable time to investigate and remediate before any public disclosure. We do not pursue legal action against researchers acting in good faith.

Sub-processors

We use a limited number of trusted sub-processors to deliver our service, including AWS (infrastructure), Stripe (payments), and Postmark (transactional email). All sub-processors are bound by data processing agreements and security requirements equivalent to our own.

Questions about this policy? Email us at [email protected]