Where your data lives, and how it stays yours.

Application servers and database run on dedicated machines we operate ourselves, physically located in Germany. There is no AWS, no GCP, no US-based subprocessor in the request path.

TLS 1.3 on every public endpoint, certificates auto-renewed via ACME. Database disks are encrypted at rest. Backups are encrypted before they leave the primary host. Inter-service traffic stays inside a private network the public internet cannot reach.

The application enforces account separation at the database layer: every query is scoped to the requesting workspace. Operator access (the two of us) requires an SSH key plus 2FA on the bastion. Admin actions are written to an append-only audit log we cannot edit retroactively. Production secrets are rotated when anyone leaves and at least once a year regardless.

Database snapshots are taken daily, kept for 30 days, and stored in a different physical location from the primary. We test restore quarterly. Your account data is recoverable up to the moment of the most recent snapshot before any incident.

Passwords are hashed with argon2id, never stored in any retrievable form. Magic-link sign-in is single-use, expires in 30 minutes, and is bound to the requesting browser. Sessions can be revoked from any device in account settings.

Write to either of the founders directly (addresses in /imprint). We acknowledge within one working day. We do not pursue action against good-faith researchers. Please give us a reasonable window before public disclosure.

The full technical surface (auth flows, the field-schema layer, the audit log shape, the WebSocket protocol, rate limits) is in the docs. They are written for engineers and integrators; this page is the plain-English summary.