Security
Viimeksi päivitetty: 12 June 2026
FastFaktura applies technical and organisational measures proportionate to the level of risk, in accordance with Article 32 of the GDPR. This page summarises the main practices in place and is updated whenever a material change occurs.
1. Hosting and isolation
The infrastructure is hosted by Vultr Holdings LLC in the Stockholm zone (Sweden, European Union). Application data is stored in a PostgreSQL database accessible only from the private network of the server, with no public port exposed.
2. Encryption
Public traffic is served exclusively over HTTPS (TLS 1.2 minimum) via Let's Encrypt, with HSTS preload enabled. Sensitive API keys (Stripe, SMS providers) are encrypted at rest with AES-256-GCM using a master key stored outside the database. Backups are encrypted.
3. Authentication and access
User account access is protected by email OTP (6-digit code, 10-minute validity, 5 attempts maximum). The admin console is protected by username and password, IP rate limiting, origin verification to prevent CSRF, and an optional TOTP (RFC 6238) two-factor authentication.
4. Monitoring and logs
All access to sensitive endpoints, admin actions, email/SMS dispatches and payments are logged with timestamps. An automated retention policy purges the logs according to a proportionate duration (6 to 36 months depending on the nature) in order to comply with the GDPR storage limitation principle.
5. Backups and continuity
Databases are backed up daily. Backups are stored off-site. A recovery plan is documented internally; the target RPO is 24 hours, the target RTO is 4 hours.
6. Patch management
Software dependencies are monitored via npm audit and GitHub Dependabot. Critical vulnerabilities are addressed within 7 days, high-severity vulnerabilities within 30 days.
7. Responsible disclosure
If you discover a vulnerability, please report it in accordance with our /.well-known/security.txt file (RFC 9116). We undertake to acknowledge receipt within 5 business days and will not pursue legal action against researchers following reasonable rules.
8. Contact
Any security-related question may be sent to privacy@fastfaktura.io.
