Security by design

Security by design means we do not bolt security on afterwards; we build it in from the start—in architecture, development, and operations. Our principles are the same in all languages and regions: trust through transparency, prevention before reaction, and continuous improvement.

We build and operate the platform so that the availability, integrity, and confidentiality of your data are safeguarded. We use proven techniques and standards and, where possible, align with recognised frameworks such as ISO/IEC 27001, without claiming that we ourselves are fully certified.

The network is built in two layers: the edge network and the compute network. Together they provide speed, security, and scalability.

Traffic flow: Incoming requests first hit the edge network, which is distributed across many locations worldwide. Each request is routed to the nearest edge location. There it passes through DDoS mitigation and the Web Application Firewall (WAF). The response is then either served from the edge cache (for static content) or forwarded to the compute network where your application runs.

Edge caching: Static assets (e.g. CSS, JavaScript, images) are cached at the edge. This reduces load on the application and lowers latency for users. The cache is automatically purged on every deployment so that stale files are not served. You can set your own Cache-Control and Expires headers; they are respected.

Compute network: The application runs in a private network and is not directly reachable from the public internet. Access is only through the edge network. Compute is distributed across multiple availability zones (multi-AZ) for stability and fast recovery from failures. Traffic is load balanced across available instances.

Outbound traffic: Outbound requests from the platform use fixed IP addresses per region. These are available for allowlisting at firewalls, security groups, or external services your application needs to call.

Traffic to and from the platform is routed through a global edge network. This enables:

• DDoS protection at network (L3/L4) and application (L7) layers, with automatic detection and mitigation of distributed denial-of-service attacks.
• Web Application Firewall (WAF) with rulesets aligned to the OWASP Top 10. Traffic is filtered before it reaches your application for known attack patterns and vulnerabilities.
• SSL/TLS encryption for all connections. Optional Strict-Transport-Security (HSTS) to enforce HTTPS.
• Security headers on every response: X-Frame-Options (against iframe abuse), X-Content-Type-Options: nosniff (against MIME-type confusion).
• Bot management: for certain types of automated traffic (e.g. crawlers or monitoring), a JavaScript challenge can be presented; legitimate users pass through.
• Rate limiting: limiting the number of requests per IP per time window, with actions such as challenge, throttle, or temporary block to prevent abuse. Additional restrictions can apply for repeated error responses (4xx) or rate-limit exceedance.
• Under-attack mode: during severe L7 DDoS or suspicious traffic spikes, an extra security layer can be enabled. Visitors briefly see a verification page and must pass a JavaScript challenge; valid traffic is then allowed and suspicious or automated traffic is blocked. This mode expires automatically after a set period.

At the application layer we use, among other things:

• Managed security rules that are updated for new threats, including zero-day protection where provided by the underlying services.
• Abuse detection for leaked credentials, malicious uploads, and exposure of sensitive data.
• Security analytics to review blocked and mitigated traffic and refine configuration.

Where possible we align with current threat intelligence and best practices so we can limit threats proactively.

The application runs in a professionally managed, isolated environment. Characteristics include:

• Dedicated infrastructure: own compute, networking, and scaling where needed, for predictable performance and no noisy neighbors.
• Private networking: the application is only reachable via the edge network, not directly from the public internet. Connectivity to supporting services where possible over private networks, for lower latency and less exposure.
• Static outbound IP addresses per region, for easy whitelisting, traceability, and compliance.
• High availability with automatic failover: multiple nodes across availability zones so that failover can occur automatically in case of failure. Load balancing across all instances when scaling horizontally.

The environment is designed with compliance in mind: isolated compute, reduced attack surface, and operations following best practices.

Personal data and other sensitive information are protected by:

• Encryption in transit (as described above) and, where applicable, encryption at rest for stored data.
• Strict access control and the principle of least privilege: only what is needed for the task.
• Logging and monitoring to detect and investigate incidents.

We are familiar with ISO/IEC 27001 (information security management systems) and apply the principles and controls described there where feasible and appropriate within our architecture and service delivery—including risk management, access control, cryptography, and continuous improvement of security.

We do not claim to be fully ISO 27001 certified as an organisation; we do take the standard seriously and act in line with it where we can. For specific compliance questions (e.g. data processing agreements or audits), please contact us.

Security is not a one-off step but an ongoing process. We monitor threats, adjust configurations and rules, and use secure development and release processes. In the event of incidents we follow clear procedures for communication and recovery.

If you have questions about our approach or need more technical or legal detail, please contact us.

We are committed to a secure and compliant platform. We align with recognised frameworks without claiming that we ourselves hold all related certifications.

SOC 2 Type 2 is a framework (developed by the AICPA) that focuses on how services remain secure and protect customer data. It includes five Trust Services Categories with criteria for security, confidentiality, availability, and more. The infrastructure and processes on which the platform runs are, where applicable, designed around the same principles: Security, Confidentiality, and Availability.

ISO/IEC 27001 is the internationally recognised standard for information security management systems (ISMS). As described in the Standards and compliance section, we apply the principles and controls from it where feasible and appropriate within our architecture.

What this means for you:

• Data security: protection of your data against unauthorized access, use, disclosure, disruption, modification, or destruction.
• OWASP Top 10: traffic via our edge network is filtered with rulesets aligned to the OWASP Top 10 (injection, authentication, data exposure, etc.) before it reaches your application.
• Availability: commitment to continuous operation of the platform and minimising downtime.
• Confidentiality: maintaining the privacy of your data and preventing unauthorized access.
• Compliance: adherence to best practices and relevant regulations where applicable.

We keep this page updated as we progress. For questions about our compliance or security, please contact us.