Trust · Security · Data handling

How CVD Portal handles your data

Written for the procurement, legal, and security reviewers who diligence us. No marketing language; only what we can evidence. Updated 9 May 2026.

Data residency

EU-hosted.

Application, database, and backups run on EU-based infrastructure. Operational timestamps are Europe/Amsterdam.

Controller / Processor

Processor.

Tenants are the data controller for submissions their portal receives. We act as a processor under GDPR Art. 28 terms described in our Privacy Policy.

Security contact
[email protected]

Policy at /security, machine-readable at /.well-known/security.txt.

Subprocessors

These are the third parties that process tenant data on our behalf. We will give tenants 30 days' notice before adding a new subprocessor with material access to submission data.

Stripe Payments Europe, Ltd.

Subscription billing and checkout

Data processed
Company billing contact, invoice history, card fingerprints (card data itself never touches our servers)
Region
Ireland (EU); payment data processed under Stripe's EEA data residency posture
Resend, Inc.

Transactional email delivery (acknowledgments, notifications, auth)

Data processed
Recipient email, subject line, message body, delivery metadata
Region
Delivery infrastructure with EU sending region available; see Resend DPA

Self-hosted components

Application runtime

Next.js server, self-hosted on EU-based VPS. Admin access over Tailscale only; no public SSH.

PostgreSQL database

Self-managed on EU-based infrastructure. Encrypted at rest (AES-256) via full-disk encryption. TLS-only client connections.

Edge & reverse proxy

Caddy with automatic TLS (Let's Encrypt). HSTS preload, X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy.

Geolocation

geoip-lite library; country-level IP lookup happens in-process. No external request, no third-party analytics.

Security controls

Encryption

  • ·TLS 1.2+ enforced on every public endpoint. HSTS with preload.
  • ·AES-256 full-disk encryption for database volumes.
  • ·Researcher submissions support PGP end-to-end encryption when tenant publishes a key.

Access control

  • ·Role-based access (ADMIN, MEMBER) on every tenant workspace.
  • ·Tenant data strictly isolated by companyId; cross-tenant access is a hard constraint at the ORM layer.
  • ·NextAuth session management with CSRF protection; password hashing via bcrypt.
  • ·Enterprise plan: SSO/SAML and EUDI Wallet identity verification (eIDAS 2.0).

Auditability

  • ·Every state-changing action writes an append-only audit log with actor, timestamp (ms precision), IP, and country.
  • ·Audit logs surface in the tenant dashboard and are exportable for CRA defense.
  • ·Database-level immutability enforcement for the audit table is on the near-term roadmap (see §Roadmap).

Operational security

  • ·Secrets never committed to the repository; environment-based configuration.
  • ·Dependency scanning in CI; Dependabot-equivalent automated update flow.
  • ·No production shell access outside Tailscale; deploy user scoped to application directory.

Incident response

  1. 01We learn of an incident via internal monitoring, tenant report, or researcher report to [email protected].
  2. 02A responder acknowledges within the SLA on our Security page, scopes impact, and opens an incident record.
  3. 03Affected tenants are notified without undue delay (and within 72 hours for personal-data breaches, per GDPR Art. 33).
  4. 04A post-incident write-up is published to affected tenants. Material incidents are disclosed on /status with a resolution note.

Backups & business continuity

Database backups are taken on a defined schedule and stored encrypted off the primary host. We exercise restore drills periodically. Enterprise customers can request our current RPO/RTO targets, the most recent restore test date, and our business-continuity summary under NDA via [email protected]. We are deliberately not publishing specific numbers here that we cannot continuously evidence.

On the roadmap

Items we have committed to and are tracking publicly:

  • Database-level append-only enforcement on the audit_log table (REVOKE UPDATE/DELETE + trigger).
  • GDPR lifecycle automation: DSAR export/delete endpoints and scheduled retention jobs.
  • DPA template at /legal/dpa available for enterprise customers without bespoke negotiation.
  • SOC 2 Type 1 readiness engagement.

Last updated 9 May 2026. For procurement questionnaires, DPAs, or security reviews, reach [email protected]. See also Privacy, Terms, Security, Status.