Security

Public summary

The summary below is the same text published in Annex II of our Data Processing Agreement.

• Access control. RBAC, least privilege, MFA, bastion host.
• Encryption. TLS 1.3 in transit, AES-256-GCM at rest, per-Subscription DEK.
• Tenant isolation. Schema-per-Subscription on Starter; Dedicated Container on Pro / Business; Dedicated VPS on Enterprise.
• Logging. Ninety (90) days, structured security-event log, Telegram alerting on anomalies.
• Change management. Version-controlled config, mandatory peer review, blue-green deploy.
• Backups. Daily encrypted; fourteen (14) day short-term and ninety (90) day long-term retention; forty-eight (48) hour point-in-time recovery.
• Vulnerability management. Weekly dependency scan, monthly patch cycle, annual third-party pentest.
• Personnel. Confidentiality in all engagements, GDPR training on onboarding and annually, twenty-four (24) hour access revocation on role change.
• Business continuity. Documented IR plan, RTO twenty-four (24) hours on Business tier, RPO one (1) hour.
• Deletion. Within thirty (30) days of a verified Controller request.

Reporting a vulnerability

Responsible disclosure: email [email protected] with subject “Security disclosure”. We acknowledge within two (2) business days. We do not currently operate a paid bug-bounty programme; severe findings (RCE, auth bypass, data exposure) are handled with priority and we will publicly credit the researcher on request after remediation.

Sub-processors

The current authorised sub-processor list is published at ewpire.com/subprocessors and is also Annex III of the DPA. Material changes are notified fourteen (14) days in advance per DPA §4.2.