Can I commission an external pentest of my application?

Yes, we are open to penetration testing by external companies. We cooperate with testers, providing necessary information and access, and then implement the found recommendations.

How often do you perform backups?

We perform backups automatically daily during night hours. Additionally, for critical systems, we can configure more frequent backups (e.g., hourly) or continuous backup.

Can I integrate the application with our SSO (Azure AD, Okta)?

Yes, we support integrations with popular SSO providers via SAML 2.0 and OpenID Connect protocols. Cost and integration time depend on the specifics of your environment.

How long do you keep logs and change audits?

We keep logs for 90 days by default, and change audits (Git history) indefinitely. For compliance requirements (e.g., financial sector), we can extend the log retention period.

Is the application GDPR compliant?

Yes, we design all our applications with GDPR compliance in mind. We implement features such as right to deletion, data export, consent management, and data retention policies.

Can my data be processed outside the EU?

By default, we use infrastructure in the EU (Western Europe). If you choose a cloud provider outside the EU, we ensure appropriate safeguards (Standard Contractual Clauses, encryption).

Security and Privacy

Security practices that protect your data and applications

Security is not just technology, but primarily processes and organizational culture. We present our approach to backups, access control, change audits, and penetration testing.

Backups and Disaster Recovery

Automated backups and data recovery procedures in case of failure

Automated backups

Daily database and file backups performed automatically during night hours with integrity verification.

Geographic redundancy

Backups stored in geographically distributed locations (multi-region) for maximum protection.

Retention policy

Backup retention for 30 days with the possibility of extending the retention period at client request.

Recovery testing

Regular disaster recovery procedure testing (at least quarterly) with documented results.

RTO and RPO

Recovery Time Objective (RTO): up to 4 hours. Recovery Point Objective (RPO): maximum 24 hours.

Backup access

Possibility to provide backup on client request within 48 hours in agreed format.

Access Control and SSO

Advanced authentication and authorization mechanisms

Single Sign-On (SSO)

Integration with SSO providers (Azure AD, Google Workspace, Okta) for convenient and secure login.

Multi-Factor Authentication (MFA)

Mandatory multi-factor authentication (2FA/MFA) for all team members and administrators.

Role-Based Access Control (RBAC)

Role-based access control - each user has only necessary permissions (principle of least privilege).

Login audit

All login attempts and permission changes are logged and regularly reviewed.

Session management

Automatic logout after inactivity period, secure session storage, token rotation.

IP whitelisting

Ability to restrict admin panel access to specific IP addresses.

Change Audit and Version Control

Complete history of code and configuration changes

Git version control

All code changes are versioned in Git with mandatory commit messages following Conventional Commits.

Mandatory code review

Every change goes through code review - minimum one person must approve before merging to main branch.

Audit trail

Complete history of code, configuration, and infrastructure changes with ability to track who, when, and what changed.

Change documentation

Changelog and release notes for each deployment - transparent communication of all changes.

Rollback capability

Ability to quickly rollback changes if issues are detected after deployment.

Change approval process

Production change approval process with appropriate procedures and checklists.

Penetration Testing and Security Audits

Regular security testing and vulnerability analysis

Penetration testing on demand

Possibility to order professional penetration testing by certified external companies (OSCP, CEH).

Automated vulnerability scanning

Regular application scanning for known vulnerabilities (OWASP Top 10, CVE) using SAST and DAST.

Dependency scanning

Automated checking of dependencies (npm, NuGet) for known security vulnerabilities.

Code security audit

Regular code analysis for security best practices (secure coding, OWASP).

Infrastructure security

Audit of infrastructure configuration (firewall rules, network segmentation, encryption).

Reporting and remediation

Detailed reports of identified security issues with remediation plan and priorities.

Client Data Protection

How we protect client privacy and data

Encryption at rest

All data in database and files is encrypted at rest (AES-256) - including backups.

Encryption in transit

Communication always through HTTPS/TLS 1.3 - no unsecured connections.

GDPR compliance

Full compliance with personal data protection regulations - right to deletion, export, and data modification.

Data segregation

In multi-tenant applications, data is logically and physically separated between clients.

Data retention policy

Clear data retention policy - automatic deletion after specified time period.

Data breach response

Procedures for responding to security incidents and data breaches in compliance with GDPR.

Related Policies and Terms

Detailed documents regarding privacy and terms of service

Privacy Policy

Detailed information about personal data processing, cookies, and user rights.

Cookie Policy

Information about cookies used and ability to manage them.

Terms of Service

Cooperation conditions, liability, and dispute resolution procedures.

Questions about security?

We'll be happy to discuss details of our security practices and adapt them to your project