Your data, securely protected
Encryption, access control, and complete audit logging — built with data protection in mind.
TLS 1.3 & AES-256
TLS 1.3 in transit. Sensitive fields (IBAN, BIC, phone) encrypted in the database with AES-256-GCM; documents (R2) and the mobile offline cache encrypted at rest.
Non-Root Containers
All services run as non-privileged users in isolated containers.
GDPR-oriented
Built with EU data protection requirements in mind.
Sensitive Data Protection
Passwords bcrypt-hashed; 2FA secrets and session tokens protected. Database ports closed to the public — internal network only.
Role-Based Access Control
25+ roles with granular permissions. Everyone sees only what they should.
2FA & Secure Sessions
JWT + refresh-token authentication with optional two-factor (TOTP). Tenant-scoped sessions, token rotation.
Complete Audit Trail
Every action and change is logged (GoBD §146). Financial records retained up to 10 years (§147).
Backup & Restore
Automatic nightly backups + off-site sync to Cloudflare R2. Documented restore process.