How we protect your data
Security is a feature, not a check-box. Here's exactly how we keep your operational data safe.
Infrastructure
- EU-hosted: AWS Frankfurt (eu-central-1). Data never leaves the EU.
- Encryption at rest: AES-256 on all databases and backups.
- Encryption in transit: TLS 1.3 only. HTTP redirects to HTTPS. HSTS preload list.
- Network isolation: Application servers in private subnets. Database has no public IP.
- DDoS protection: Cloudflare on the edge.
Application security
- Per-tenant data isolation: Row-level security (RLS) at the database layer. A tenant cannot see another tenant's data — enforced by Postgres, not application code.
- Password hashing: bcrypt with cost factor 12.
- Session management: JWT with rotating refresh tokens, secure HttpOnly cookies.
- CSRF protection: SameSite cookies + CSRF tokens on state-changing requests.
- SQL injection: Parameterized queries only. No string concatenation.
- XSS: Content Security Policy (CSP) with strict-dynamic. Output escaped by framework.
- Rate limiting: 5 login attempts / 5 min. API throttling per plan tier.
Backups
- Daily encrypted database snapshots, retained 30 days.
- Point-in-time recovery (PITR) covering the past 7 days.
- Restore procedure tested monthly.
Access controls
- 2FA available on all accounts (recommended). Mandatory on Enterprise.
- SSO (SAML 2.0) on Enterprise plans.
- Audit log: every login, every settings change, every export — recorded.
- Employee access to production is logged, alerted, and reviewed quarterly.
Vulnerability disclosure
We follow coordinated disclosure. Report vulnerabilities to security@amazstock.online.
We respond within 48 hours, fix critical issues within 7 days, and acknowledge contributors publicly (with their permission).
Rewards offered for valid findings — scope and amounts at security.amazstock.online.
Compliance
- GDPR: Compliant by design. Details.
- SOC 2 Type I: Audit in progress, expected Q4 2026.
- ISO 27001: On the roadmap for 2027.
Status & incidents
Live system status: status.amazstock.online
Past incidents are publicly documented with full post-mortems within 7 days of resolution.