Security & operations

You entrust Verkta with sensitive data — whistleblower cases, risk assessment answers and personal data. Here is exactly how we protect it. No hand-waving, no fine print.

Hosting and infrastructure

The entire platform runs in the EU. The application is hosted on Vercel with operations in Frankfurt, the database runs on Neon in Frankfurt, and files are stored in the EU. No customer data is stored outside the EU/EEA as part of normal operations.

Subprocessors

We use four subprocessors — no more, no less: Vercel (hosting, EU/Frankfurt), Neon (database, EU/Frankfurt), Resend (transactional email) and Stripe (payments, independent controller for card data). The full list with locations and transfer mechanisms is in our data processing agreement, and changes are announced 30 days in advance.

Encryption and data security

  • All traffic is encrypted with TLS 1.2+; data is encrypted at rest by the database provider (AES-256).
  • Passwords are hashed with bcrypt. Access keys and tokens are stored as SHA-256 hashes only — never in plain text.
  • Digital signatures are sealed with a SHA-256 hash and timestamp, so documents cannot be altered afterwards.
  • Risk assessment responses are collected anonymously — no name, email or IP address.
  • Whistleblower cases are technically restricted to the users you designate, with a full activity log.

Backup and recovery

The database has continuous point-in-time recovery with Neon, so data can be restored to any moment within the retention window. Recovery is exercised as part of operations.

Data export and exit

Your data is yours. Administrators can export all company data as a single file directly from Settings at any time — without asking us first. After cancellation you can export for 90 days, after which all personal data is deleted or anonymised.

Access control and logging

  • Role-based access: administrator, user and whistleblower officer each have their own permissions.
  • Tamper-evident activity log on sensitive actions — who did what, when.
  • Rate limiting on all public entry points (reporting, signing, questionnaires).
  • Only people with a work-related need on our side can access production data, under confidentiality obligations.

Data processing agreement

Our standard DPA under GDPR article 28 is part of the terms and applies automatically to all customers. If you need a signed copy with your company details, we are happy to provide one.

Read the data processing agreement

If something goes wrong

In case of a personal data breach we notify you without undue delay and no later than 48 hours after becoming aware of it — with the information you need for any notification to your supervisory authority.

Responsible disclosure

Found a vulnerability? Write to security@verkta.com — we respond quickly and we fix quickly. See also /.well-known/security.txt.

Questions about security?

If your IT department or DPO needs more documentation, we are happy to answer vendor questionnaires and due diligence requests.