Security

Síðast uppfært: 12 June 2026

FastFaktura applies technical and organisational measures proportionate to the level of risk, in accordance with Article 32 of the GDPR. This page summarises the main practices in place and is updated whenever a material change occurs.

1. Hosting and isolation

The infrastructure is hosted by Vultr Holdings LLC in the Stockholm zone (Sweden, European Union). Application data is stored in a PostgreSQL database accessible only from the private network of the server, with no public port exposed.

2. Encryption

Public traffic is served exclusively over HTTPS (TLS 1.2 minimum) via Let's Encrypt, with HSTS preload enabled. Sensitive API keys (Stripe, SMS providers) are encrypted at rest with AES-256-GCM using a master key stored outside the database. Backups are encrypted.

3. Authentication and access

User account access is protected by email OTP (6-digit code, 10-minute validity, 5 attempts maximum). The admin console is protected by username and password, IP rate limiting, origin verification to prevent CSRF, and an optional TOTP (RFC 6238) two-factor authentication.

4. Monitoring and logs

All access to sensitive endpoints, admin actions, email/SMS dispatches and payments are logged with timestamps. An automated retention policy purges the logs according to a proportionate duration (6 to 36 months depending on the nature) in order to comply with the GDPR storage limitation principle.

5. Backups and continuity

Databases are backed up daily. Backups are stored off-site. A recovery plan is documented internally; the target RPO is 24 hours, the target RTO is 4 hours.

6. Patch management

Software dependencies are monitored via npm audit and GitHub Dependabot. Critical vulnerabilities are addressed within 7 days, high-severity vulnerabilities within 30 days.

7. Responsible disclosure

If you discover a vulnerability, please report it in accordance with our /.well-known/security.txt file (RFC 9116). We undertake to acknowledge receipt within 5 business days and will not pursue legal action against researchers following reasonable rules.

8. Contact

Any security-related question may be sent to privacy@fastfaktura.io.