Trust · Security · Data handling

How CVD Portal handles your data

Written for the procurement, legal, and security reviewers who diligence us. No marketing language; only what we can evidence. Updated 9 May 2026.

Where your data lives

Hetzner, EU region.

Application, database, and backups run on Hetzner infrastructure in the EU. We do not transfer submission data outside the EU/EEA. Operational timestamps are Europe/Amsterdam.

Controller / Processor

Processor.

Tenants are the data controller for submissions their portal receives. We act as a processor under GDPR Art. 28 terms described in our Privacy Policy.

Security contact

[email protected]

Policy at /security, machine-readable at /.well-known/security.txt.

Subprocessors

These are the third parties that process tenant data on our behalf. We will give tenants 30 days' notice before adding a new subprocessor with material access to submission data.

Stripe Payments Europe, Ltd. ↗

Subscription billing and checkout

Data processed: Company billing contact, invoice history, card fingerprints (card data itself never touches our servers)
Region: Ireland (EU); payment data processed under Stripe's EEA data residency posture

Resend, Inc. ↗

Transactional email delivery (acknowledgments, notifications, auth)

Data processed: Recipient email, subject line, message body, delivery metadata
Region: Delivery infrastructure with EU sending region available; see Resend DPA

Self-hosted components

Application runtime

Next.js server, self-hosted on EU-based VPS. Admin access over Tailscale only; no public SSH.

PostgreSQL database

Self-managed on EU-based infrastructure. Encrypted at rest (AES-256) via full-disk encryption. TLS-only client connections.

Edge & reverse proxy

Caddy with automatic TLS (Let's Encrypt). HSTS preload, X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy.

Geolocation

geoip-lite library; country-level IP lookup happens in-process. No external request, no third-party analytics.

Security controls

Encryption

·TLS 1.2+ enforced on every public endpoint. HSTS with preload.
·AES-256 full-disk encryption for database volumes.
·Researcher submissions support PGP end-to-end encryption when tenant publishes a key.

Access control

·Role-based access (ADMIN, MEMBER) on every tenant workspace.
·Tenant data strictly isolated by companyId; cross-tenant access is a hard constraint at the ORM layer.
·NextAuth session management with CSRF protection; password hashing via bcrypt.
·Enterprise plan: SSO/SAML and EUDI Wallet identity verification (eIDAS 2.0).

Auditability

·Every state-changing action writes an append-only audit log with actor, timestamp (ms precision), IP, and country.
·Audit logs surface in the tenant dashboard and are exportable for CRA defense.
·Database-level immutability enforcement for the audit table is on the near-term roadmap (see §Roadmap).

Operational security

·Secrets never committed to the repository; environment-based configuration.
·Dependency scanning in CI; Dependabot-equivalent automated update flow.
·No production shell access outside Tailscale; deploy user scoped to application directory.

Data ownership and exit

·You own every report your portal receives. We process it on your behalf, we do not sell it, and we do not use it to train models.
·Full export of your submissions in CSV and JSON is available on every plan, including Free.
·We delete your data on request. Closing your account removes submission data within 30 days, except where a legal retention obligation applies.
·Audit logs are retained for the life of the account as compliance evidence and exported with the rest of your data.

Data Processing Agreement

A Data Processing Agreement (GDPR Art. 28) is available on request. Email [email protected] and we will send our standard DPA. A self-serve template at /legal/dpa for Pro and Enterprise customers is on the roadmap below.

Security testing

CVD Portal is penetration tested by an independent firm every quarter. The most recent test was completed in May 2026. Enterprise clients receive the full report under NDA. A summary of scope and outcome is available on request via [email protected].

Report a vulnerability in CVD Portal itself

We run our own coordinated disclosure process. Report a security issue in CVD Portal through our disclosure policy, or read the machine-readable security.txt.

Incident response

01We learn of an incident via internal monitoring, tenant report, or researcher report to [email protected].
02A responder acknowledges within the SLA on our Security page, scopes impact, and opens an incident record.
03Affected tenants are notified without undue delay (and within 72 hours for personal-data breaches, per GDPR Art. 33).
04A post-incident write-up is published to affected tenants. Material incidents are disclosed on /status with a resolution note.

Backups & business continuity

Database backups are taken on a defined schedule and stored encrypted off the primary host. We exercise restore drills periodically. Enterprise customers can request our current RPO/RTO targets, the most recent restore test date, and our business-continuity summary under NDA via [email protected]. We are deliberately not publishing specific numbers here that we cannot continuously evidence.

On the roadmap

Items we have committed to and are tracking publicly:

→Database-level append-only enforcement on the audit_log table (REVOKE UPDATE/DELETE + trigger).
→GDPR lifecycle automation: DSAR export/delete endpoints and scheduled retention jobs.
→DPA template at /legal/dpa available for enterprise customers without bespoke negotiation.
→SOC 2 Type 1 readiness engagement.

Last updated 9 May 2026. For procurement questionnaires, DPAs, or security reviews, reach [email protected]. See also Privacy, Terms, Security, Status.