This page describes, in plain language, the technical and organisational measures that APPA8 applies to protect the data its customers entrust to it. It is also the reference invoked by our Terms of Service and by the DPA.
1. Encryption in transit
All traffic between the customer's browser and the platform is encrypted with TLS 1.2 or higher. Plain HTTP access is automatically redirected to HTTPS.
TLS termination and routing are handled through a reverse proxy (Traefik), ensuring secure communication between users and the internal services.
2. Credentials and authentication
- Passwords are never stored in plain text. They are protected with bcrypt and a per-user salt.
- Brute-force protection is in place, including rate limiting on authentication endpoints.
- Sessions are managed through secure cookies (
HttpOnly,SecureandSameSite) with a configured expiry. - Sessions can be revoked in case of account compromise or access termination.
3. Multi-tenant isolation
The platform uses a strong per-customer isolation model (tenant isolation) based on separate databases.
Each customer has dedicated databases for the different parts of the system:
- Application database
- Authentication database
- Audit database
This model guarantees data isolation between customers, reducing the risk of cross-access or direct impact between different accounts. Each operation is executed exclusively within the corresponding customer's context.
4. Backups
- Automatic per-customer backups are taken, covering application, authentication and audit data.
- Backups are stored securely and kept for a defined retention period.
- Periodic restore tests are performed to validate data integrity.
- Restores can be requested by the customer within the applicable retention window.
5. Logs and auditing
All sensitive actions are recorded in a per-customer audit log, including authentications, permission changes and critical operations.
Records are immutable (append-only) and kept for a defined retention period.
6. Access control
- The permission model follows the principle of least privilege and is role-based.
- The customer is responsible for managing access for its own users within its organisation.
- Access to customer data by the provider happens only at the customer's request, for technical support, or under legal obligation.
- Administrative access to the platform is restricted and protected by multi-factor authentication (2FA).
7. Infrastructure security
- The platform runs on servers owned and operated by APPA8, located in controlled premises in the European Union.
- Services run in isolated Docker containers, with traffic managed through Traefik.
- Administrative access is restricted and protected by VPN and multi-factor authentication.
- Public traffic is filtered through abuse-protection and DDoS-mitigation mechanisms (where applicable).
- Security updates are applied regularly and critical vulnerabilities are handled with top priority.
- Secrets and credentials are stored securely and are not present in the source code.
8. Incident response
In case of a security incident affecting personal data, APPA8 commits to investigating and mitigating it without undue delay.
Where applicable, affected customers will be notified in accordance with the General Data Protection Regulation (GDPR), including the legal deadlines for notifying the supervisory authority.
9. Payments
Payments are processed through PCI DSS-certified providers, such as Stripe.
APPA8 does not store credit card data. Only the identifiers and payment tokens required for recurring billing are stored.
10. How to report vulnerabilities
If you identify a security vulnerability, you can report it to geral@appa8.comwith the subject "Security".
We commit to responding within 72 hours and to coordinating a responsible disclosure where applicable.