How we protect your data.
Your website, your customer inquiries, and your business data deserve serious protection. Here's exactly how we host, encrypt, and handle the systems we build and run for you — in plain language, so your team and your procurement reviewers know what to expect.
Isolated hosting · Cloudflare edge security · Enforced HTTPS/TLS · NDA & DPA on request.
Security Built In, Not Bolted On
We design every site and system around a simple principle: protect the data, limit the blast radius, and keep access to the minimum that the work requires. The practices below apply across the projects we build and operate.
Infrastructure & hosting
Your site runs on dedicated server infrastructure (Hetzner) — not a crowded shared box where one neighbor's breach becomes everyone's problem.
- Isolated site environment per client — each site runs under its own isolated user, with no co-mingling of files or data between clients.
- Dedicated, monitored infrastructure under our direct control.
- Server configuration kept separate from public files.
Encryption & network security
Traffic to and from your site is encrypted, and a managed edge layer sits in front of every site we operate.
- HTTPS/TLS enforced site-wide (Let's Encrypt, auto-renew) with an automatic HTTP → HTTPS redirect.
- Cloudflare in front of every site: web application firewall (WAF), DDoS protection, and managed SSL.
- Security headers set at the server/edge: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Content-Security-Policy (CSP).
Access & secrets
Credentials and server-only configuration are treated as sensitive — never casually shared, and never left where they don't belong.
- Secrets (API keys, tokens, passwords) are never stored in code repositories.
- Server-only configuration lives on the server, kept out of source control.
- Credentials delivered through secure channels (password manager / encrypted), under least-privilege access.
Data handling & your rights
The data your site collects is your data. Form submissions are captured and routed straight to you, and we'll formalize how it's handled whenever you need that in writing.
- Form submissions captured and routed to you, the client.
- NDA and a Data Processing Agreement (DPA) available on request.
- Data-deletion requests honored.
- See our Privacy Policy for how data is collected and used.
Backups & monitoring
We plan for the bad day, not just the good ones — so a mistake or an outage doesn't turn into lost data or a silent site.
- Regular backups so your site and data can be restored.
- Monitored uptime with alerting, so issues are caught early.
Compliance & accessibility
We build to recognized standards and follow privacy best practices. Where buyers need formal documentation, we'll work with you to provide it.
- Built to accessibility standards (WCAG 2.1 AA).
- Privacy best practices throughout — see our Privacy Policy.
- Formal certifications available or in progress on request.
For procurement & security reviewers: We're happy to complete vendor security questionnaires, sign an NDA, and put a Data Processing Agreement (DPA) in place before any data is exchanged. If your organization requires a specific certification or attestation, tell us what you need and we'll tell you exactly where we stand and what we can provide.
Have a Security or Procurement Question?
Send it over and we'll respond directly — including NDAs, DPAs, vendor questionnaires, and anything your review process requires.