Security¶
The operator-facing equivalent of what the DPA calls the "Technical and Organisational Measures" — hosting, encryption, isolation and sub-processors on a single page, so a procurement review doesn't have to scrape it out of a contract.
Hosting region¶
| Component | Region | Provider |
|---|---|---|
| Application + Postgres | DE / FI (EU) | Hetzner Online GmbH |
| Edge (CDN, DNS, TLS) | Global; EU PoPs preferred | Cloudflare, Inc. |
| Object storage (backups) | EU eu-central-1 |
Amazon Web Services |
| Payments | NL (EU) | Mollie B.V. |
| iOS push | US | Apple Inc. (APNs) |
| Android push | US | Google LLC (FCM) |
Transfers to the US (Apple, Google, AWS) are covered by Standard Contractual Clauses and the EU-US Data Privacy Framework.
Encryption¶
- In transit — TLS 1.2+ at the edge, HSTS enabled with a one-year max-age. Service-to-service calls inside the platform run on a private overlay network.
- At rest — host disks use LUKS; database volumes sit on encrypted
block storage. Backups in S3 use server-side encryption (
SSE-S3). - Push tokens — opaque device tokens are stored as-is in your tenant database; they are not personally identifying on their own.
Tenant isolation¶
- Database-per-tenant — each tenant gets its own Postgres database, named after the tenant slug. Cross-tenant queries are physically impossible at the SQL level.
- Subdomain routing — the edge selects the database from the first
label of the request
Host:header. A request for one tenant cannot reach another tenant's data, even by accident. - Filestore isolation — uploaded media (artist photos, venue
images, sponsor logos) is laid out under
filestore/<dbname>/, so a runtime escape from one tenant cannot read another tenant's files. - Mobile build signing material — keystores and provisioning profiles for branded builds are fetched per-tenant from encrypted storage and never written to disk on the build runner.
Access controls¶
- Operator access to the production hosts is restricted to a named SSH key set; 2FA is enforced on every administrative service.
- Customer access to your back-office is managed from Settings → Users & Companies → Users. See Configuration → Roles and access for the roles and how 2FA is toggled per role.
- Push notification credentials (APNs
.p8, FCM service-account JSON) live as per-tenant configuration entries — visible only to back-office administrators on that tenant.
Backups¶
- Daily
pg_dumpof every tenant database to S3 (eu-central-1), server-side encrypted, with a 30-day retention window. Versioning enables point-in-time restore inside that window. - Quarterly restore drill — we restore a sample tenant database to a non-production environment and assert the API surface matches the live one.
- Self-serve export —
GET /api/v1/exportproduces a portable archive of your catalogue at any time (see the API reference).
Retention and deletion¶
- Active tenants — data is retained for the duration of the subscription.
- Suspended tenants (Mollie cancellation or admin-initiated) — the back-office goes read-only and the database stays online for 90 days, after which the tenant and its media are permanently deleted.
- Immediate deletion on request to privacy@festinato.app.
Sub-processors¶
Authoritative list and purpose — see also the privacy notice.
| Provider | Purpose |
|---|---|
| Mollie B.V. | Payment processing |
| Cloudflare, Inc. | CDN + TLS termination + DNS |
| Hetzner Online GmbH | Application + Postgres hosting |
| Apple Inc. (APNs) | iOS push notification delivery |
| Google LLC (FCM) | Android push notification delivery |
| Amazon Web Services | S3 object storage for backups |
We notify Controllers at least 30 days before adding or replacing a sub-processor.
Incident response¶
- Suspected security incidents are triaged within four business hours.
- Confirmed personal-data breaches are notified to affected Controllers within 72 hours of confirmation, per GDPR Art. 33.
Reporting a vulnerability¶
Mail security@festinato.app. We acknowledge within two business days and prefer coordinated disclosure with a 90-day window.