Datenlöschdienst

Security

Protecting your data is our highest priority. As a Swiss company that processes personal data on behalf of its customers, we rely on multi-layered technical and organizational measures that reflect the current state of the art.

1. Data Encryption

  • In transit: All connections between your browser and our servers are encrypted exclusively via TLS 1.3. Older protocol versions are not supported. HSTS is enabled.
  • At rest: All data in our database is encrypted with AES-256. Backups are also stored encrypted.
  • Passwords: User passwords are stored exclusively as bcrypt hashes. Plaintext passwords are never persisted.

2. Access Control

  • Row Level Security (RLS): At the database level, Row Level Security ensures that each authenticated user can only access their own data. These policies are enforced server-side and cannot be bypassed client-side.
  • Role-Based Access Control (RBAC): Internal access to systems and data follows the principle of least privilege. Each team member receives only the permissions strictly required for their role.
  • Multi-Factor Authentication (MFA): MFA is mandatory for all administrative access to infrastructure, database, and third-party services.

3. Data Storage and Deletion

We process personal data according to the principle of data minimization and delete it as soon as the purpose is fulfilled:

  • Identity documents (ID copies) are automatically deleted within 90 days after upload or after the verification purpose is achieved.
  • Free analyses without account binding are automatically removed after 30 days.
  • Scan results are retained until account deletion or up to 12 months after the last scan, whichever comes first.
  • Server log data is deleted after 14 days.

Complete retention periods can be found in our Privacy Policy (Section 6).

4. Infrastructure

  • Database hosting: Supabase located in Frankfurt (EU/EEA). No storage of personal data outside the EEA without appropriate safeguards.
  • Application hosting: Vercel with edge network. For any processing in the US, EU Standard Contractual Clauses (SCC) apply.
  • Regular updates: Dependencies and runtime environments are continuously updated to promptly close known security vulnerabilities.

5. Sub-processors

We work exclusively with carefully vetted sub-processors, each covered by a Data Processing Agreement (DPA). The current list of all sub-processors is available at any time:

Sub-processor Directory →

6. Responsible Disclosure

We take security reports seriously. If you discover a security vulnerability in our systems, we ask you to report it responsibly:

Please give us reasonable time to fix the issue before making details public. We commit to promptly reviewing and resolving reported vulnerabilities.

7. Compliance

Our security measures are aligned with the requirements of the following regulations:

  • nDSG / FADP Swiss Federal Act on Data Protection (in force since September 1, 2023), in particular Art. 8 (Data Security)
  • GDPR EU General Data Protection Regulation, in particular Art. 32 (Security of Processing)

Further information on our data protection measures can be found in our Privacy Policy.

As of April 2026