🔒 Security

• In transit: TLS 1.2+ on all connections. HSTS enforced (max-age 1 year, includeSubDomains). No plaintext HTTP.
• At rest (Object Storage): AES-256 server-side encryption via Hetzner Object Storage. All data encrypted on disk by default. We do not hold the encryption keys — Hetzner manages them at the infrastructure level.
• At rest (Vector Database): Stored on encrypted block storage (Hetzner Cloud Volume). Data persisted to disk with filesystem-level encryption.
• API keys: Stored as SHA-256 hashes. We never store or log your plaintext API key. If you lose it, we cannot recover it.
• JWT tokens: HS256-signed, 24h expiry. Tokens are stateless — revoke by rotating your API key.

• Storage: Each customer gets isolated S3 credentials scoped to their buckets only. Cross-customer access is impossible at the S3 level — the reverse proxy validates bucket ownership before forwarding requests.
• Vectors: Collections are namespaced per customer ID. The API layer enforces ownership validation on every request. There is no shared namespace.
• No shared infrastructure: Your data is not co-mingled with other customers at the application layer. Each bucket is a separate Hetzner S3 bucket. Each vector collection is a separate Qdrant collection.

All customer data stored exclusively in the EU. No data replication outside EU/EEA. Hetzner is ISO 27001 certified and operates its own data centers.

• Rate limiting: 120 requests/min per IP. Prevents abuse and brute-force attacks.
• Security headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin
• CORS: Permissive (*) — this is an API service, not a web app. No credentials are sent via cookies.
• No cookies: Zero cookies, zero tracking. Authentication is token-based only.

• Backups: Database backed up daily (automated cron). Object storage uses Hetzner's built-in redundancy (3x replication).
• Updates: Automatic security updates enabled on the host OS (Ubuntu).
• Access: SSH key-only authentication. No password login. Single operator access.
• Logging: Access logs retained 30 days. No customer content is logged. IP addresses logged for security only.
• Monitoring: Service health monitored continuously. Status page at /status.

• 🚫 We do not read, scan, or analyze your stored data
• 🚫 We do not use customer data for training or analytics
• 🚫 We do not sell, share, or provide data to third parties
• 🚫 We do not track usage patterns beyond billing counters
• 🚫 We do not require personal information — a working email is all we need

We believe in transparency. Here's what we don't have yet:

• No SOC 2 or ISO 27001 certification for eustore.dev itself. Our infrastructure provider (Hetzner) is certified. We plan to pursue certification when scale justifies the cost.
• No SLA with financial backing. Our uptime target is 99.9%, but we don't currently offer SLA credits. See Terms §7.
• Single-operator service. AI BOLLINGMO is a sole proprietorship (ENK). There is one human responsible. This means fast decisions but also single-point-of-failure risk for the business entity.
• No client-side encryption. We encrypt at rest and in transit, but we don't offer customer-managed encryption keys (CMEK) yet. If you need this, encrypt before upload.
• No bug bounty program. If you find a vulnerability, please email security@eustore.dev. We will respond within 48 hours.

Found a security issue? Email security@eustore.dev.

• We will acknowledge within 48 hours
• We will not take legal action against good-faith security researchers
• We will credit you publicly (if desired) after the fix is deployed

AI BOLLINGMO
Enkeltpersonforetak (sole proprietorship), Norway
Monstadvegen 22, 7170 Åfjord, Norway
Org.nr.: [ORG_NR] (registration pending)

Security: security@eustore.dev
Legal: legal@eustore.dev
Privacy: privacy@eustore.dev