Security

• All data is hosted in ISO 27001-certified EU data centres.
• Servers run behind a Web Application Firewall (WAF) with DDoS protection.
• All environments (production, staging) are network-isolated.
• Regular automated vulnerability scans and dependency audits.

• In transit — all traffic is encrypted via TLS 1.2 / 1.3. HTTP is redirected to HTTPS.
• At rest — databases and backups are encrypted using AES-256.
• Passwords — hashed with bcrypt (cost factor ≥ 12). We never store plaintext passwords.
• API keys & secrets — stored encrypted, never logged.

• Role-based access control (RBAC) with least-privilege principle.
• Multi-factor authentication (MFA) available for all accounts.
• Session tokens expire after inactivity and are invalidated on logout.
• Production systems are accessible only via SSH with hardware keys; no password logins.

• Automated daily backups retained for 30 days, weekly for 3 months.
• Point-in-time recovery available for the last 7 days.
• Backups are tested monthly via automated restore checks.
• Target uptime SLA: 99.9 % (excluding planned maintenance windows).

• Protection against OWASP Top 10 (SQL injection, XSS, CSRF, etc.).
• All user inputs are validated server-side; parameterised queries only.
• CORS, CSP, HSTS and other security headers enforced on all responses.
• Rate limiting on authentication endpoints to prevent brute-force.

In the event of a security incident we will notify affected customers within 72 hours in accordance with GDPR Article 33. We maintain a documented incident response plan with defined roles and escalation paths.

Found a security vulnerability? We welcome responsible disclosure. Please email security@repairangel.nl with details. We commit to:

• Acknowledge your report within 2 business days.
• Provide an update within 10 days.
• Credit you (if desired) once the issue is resolved.
• Not pursue legal action for good-faith reports.