Where your data lives

Two EU data centres: Frankfurt (DigitalOcean DE) and Amsterdam (DigitalOcean NL). Your data never leaves the EU, including backups. Replication is region-internal, so even an EU-to-EU hop never happens to a third country.

We use DigitalOcean as our infrastructure provider. They are our sub-processor under GDPR — listed below.

Encryption

  • In transit: TLS 1.3, HSTS, no deprecated ciphers. We score A+ on the standard public TLS labs.
  • At rest: AES-256 on the underlying volumes and on database backups. Per-tenant encryption-at-application-layer is on the roadmap; today the at-rest protection is at the infrastructure layer.
  • Secrets: all third-party tokens (Stripe, OAuth, SMTP creds) live in our internal vault (access-vault service), encrypted with a key not stored next to the data. Operators see only a masked tail.

Access controls

  • Inside your tenant: the people you invite have the roles you give them. Default minimum-privilege: a new user sees nothing until you grant something.
  • Two-factor: TOTP is available today. WebAuthn / passkey support ships Q3.
  • Inside our team: production access is gated to two named operators (the SIA FIXCMS principals). All production actions are logged and reviewable.
  • Audit log: every write into your tenant is appended to an audit trail you can read, filter, and export.

Backups & disaster recovery

  • Frequency: nightly, encrypted, kept 30 days rolling.
  • Point-in-time: last 7 days of write-ahead logs are retained for tenant-level restore on request.
  • Restore test: we run a full restore from cold backup at least quarterly. The last run date is available on request — we do not publish it because it changes too fast for a static page.
  • RTO / RPO: our internal target is RTO 4h, RPO 24h on a region outage. We do not contractualise this on Solo/Growth; ask us if Scale-grade SLAs matter to you.

Sub-processors

The companies we share your data with, in order to provide AIMSIF:

  • DigitalOcean (EU regions only) — compute, database, object storage, DNS.
  • Cloudflare (EU region) — DDoS protection, edge caching, TLS termination. They see request metadata; they do not see your stored data.
  • Stripe (Ireland) — for the subscription payments we collect for AIMSIF itself. Stripe handles card data; we never store it.
  • Anthropic (EU region) — when you use the AI Workspace module. We send only the context you authorise, never the underlying records bulk.
  • SendGrid (EU region) — outbound email when you opt in to the email-sendout module. Not used until your tenant turns the module on.
  • Twilio (EU region) — outbound SMS when you opt in to the sms-sendout module. The sms-sendout module is in active development; not in any tenant yet, but listed here for transparency about what we will be touching when it ships.

If we add a sub-processor we will email every customer 30 days before. Existing customers can object; if we cannot resolve the objection we will offer a migration path.

Your GDPR rights, made concrete

  • Access: the audit log + the export endpoints in every module give you the full picture, no ticket needed.
  • Portability: machine-readable export (JSON or CSV per module) any time, from inside the OS.
  • Erasure: hit Delete in the OS. We hard-delete from the live database within 24h, from backups on the normal rolling cycle (30 days).
  • Rectification: edit anything in-place. Audit log records the change.
  • Restriction & objection: the OS has a "freeze tenant" switch that stops all background processing while leaving your data intact.

Vulnerability disclosure

Found something? Please email [email protected] with subject "Security report". We will reply within 48 hours. We are a small team — we do not run a paid bug bounty yet, but we will publicly credit you if you want, and we work hard on responsible-disclosure timelines.

If you are running an automated scan, please rate-limit yourself; aggressive scanning trips our DDoS protection and you will end up rate-limited before you find anything interesting.

What we do NOT do

  • We do not sell your data. We do not sell your contact list. We do not sell aggregated analytics.
  • We do not train any external AI on your data.
  • We do not use third-party advertising trackers on cms.lv or in the OS.
  • We do not lock you in. Export is one click; delete is one click; we cannot stop you from leaving.

Reports & certifications

We are not SOC 2 / ISO 27001 certified yet — those audits are expensive and we are deliberately keeping early prices low. If certification is a procurement requirement for you, talk to us about the Scale tier; that is where it makes sense for us to invest first.

Last reviewed: 2026-05.