Security
What runs under the hood. Concrete, no buzzwords.
Hosting + Data Residency
- Hetzner Leipzig (DACH) — servers are physically in Germany.
- No US CLOUD Act exposure — we are not a US subsidiary, no US-owned infrastructure.
- On-prem option in Enterprise tier — single-tenant deployment on customer hardware.
Encryption
- At-rest: LUKS full-disk encryption on all storage volumes.
- In-transit: TLS 1.3 enforced, Caddy with auto-HTTPS and HSTS.
- API keys: hashed in DB (Argon2id), never logged in plaintext.
Access Control
- NextAuth-based authentication with session cookies (HttpOnly, Secure, SameSite=Lax).
- SSO via OAuth (Google, GitHub, Microsoft) for Enterprise tier.
- Role-based: User, Admin, Org-Owner.
- API-key scoping per subscription, revocation anytime.
Backup + Disaster Recovery
- Daily snapshot via Hetzner Storage Box.
- Off-site backup replication daily to independent location.
- RTO: 4h, RPO: 24h for Pro/Unlimited; Enterprise SLA-specific.
Penetration Testing
- Annual pen-test by external auditors.
- Bug bounty program for Enterprise customers in preparation.
Incident Response
- Email: security@covasyn.com
- Disclosure policy: 90-day coordinated disclosure.
- Breach notification within 72h (GDPR-compliant, Art. 33 GDPR).
What we do NOT claim
- SOC 2 Type II — in preparation, not yet certified.
- ISO 27001 — on roadmap.
- HIPAA — not relevant for pharma R&D in EU.
Need a security questionnaire?
Included in the Enterprise Procurement Pack. Standard questions pre-answered.