Your Data, Protected

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database connections are encrypted end-to-end. Encryption keys are managed through a dedicated key management service with automatic rotation.

We maintain SOC 2 Type II certification, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy. Annual audits are conducted by an independent third-party firm.

Full compliance with the General Data Protection Regulation. We implement data protection by design and by default, maintain records of processing activities, and have appointed a Data Protection Officer.

All customer data is stored and processed within the European Union. Our primary infrastructure is hosted in EU data centers. Where international transfers are necessary, we use Standard Contractual Clauses.

Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication is available for all accounts. All access is logged and auditable. Employee access to production systems requires approval and is time-limited.

We maintain a documented incident response plan with defined roles, escalation procedures, and communication protocols. Security incidents are investigated within 1 hour and affected parties are notified within 72 hours as required by GDPR.

We conduct regular penetration testing through independent security firms. Findings are remediated on a priority basis. We also run continuous automated vulnerability scanning across our infrastructure and application layer.

We welcome security researchers to report vulnerabilities through our responsible disclosure program. Reports are acknowledged within 24 hours and we work with researchers to resolve issues promptly. Contact security@vermoon.es.