Security & trust
We treat security like infrastructure: there's a runbook, an audit log, and a contract you can read.
EU data residency by default
All operational data lives in EU data centres. Click events go to our analytics store with a default 365-day retention; link metadata in our database. We do not back up to non-EU regions, ever.
Encryption everywhere
TLS 1.3 on every redirect, every API call, every dashboard request. Custom-domain certs are issued automatically via on-demand TLS. Database volumes are encrypted at rest with LUKS.
RBAC, audit log, custom roles
Four built-in roles - owner, admin, editor, viewer. Custom roles with fine-grained ABAC permissions on Business. Every mutation lands in an immutable audit log; SIEM-kind webhook endpoints can fan it out to Splunk, Datadog, or your stack.
SSO, SCIM, IP allowlist, passkeys
WorkOS-backed SAML and OIDC, SCIM directory sync, per-workspace CIDR allowlists, WebAuthn / passkey sign-in. Everything that lets you turn shadow-IT short links into managed infrastructure.
Compliance posture
GDPR DPA in the box. HIPAA BAA available on Business. SOC 2 Type II audit in progress - let us know if your procurement team needs a status letter.
Incident response
24h status page, 30-minute RPO, 1-hour RTO targets on the redirect tier. Post-mortems within 5 business days for any redirect-tier incident over 5 minutes.
Sub-processors
Short list, EU-only, kept current at /legal/subprocessors.
| Vendor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Primary hosting | EU (DE) |
| OVH SAS | Secondary hosting | EU (DE) |
| Postmark (ActiveCampaign) | Transactional email | EU (DE) servers |
| monobank Plata | Payments processing | EU |
| WorkOS | SSO / SCIM identity proxy | EU + US |
Policies you can read
Need a security questionnaire reviewed?
We pre-fill the SIG, CAIQ, and EU Cloud CoC questionnaires - drop your form to [email protected] and you'll have an answer within 72 hours.
Email [email protected]