Practical safeguards

Data security

We describe concrete operating safeguards and avoid claims about certifications or guarantees that we cannot substantiate.

Access and permissions

  • Least-privilege access
  • Read-only access preferred first
  • Access limited to authorized employees
  • Periodic review of access rights

Credential and logging practices

  • Credentials do not enter the frontend
  • Credentials are not committed to public repositories
  • Logs do not record complete credentials
  • Sensitive access is separated from public website content

Retention and incidents

  • Data is deleted when no longer needed
  • Potential incidents are investigated, isolated and remediated
  • Access and affected systems are reviewed after an incident
  • Relevant parties are notified when required

These are operating principles. They do not claim SOC 2, ISO 27001 or another third-party certification.