Security at DORA GRC

We help financial entities manage operational resilience. Our own security reflects the same standards we help you meet.

TLS 1.3 Encryption
EU Data Residency
AES-256 at Rest
Full Audit Trail

🔒 Encryption

  • TLS 1.3 for all data in transit — no fallback to older protocols
  • AES-256-GCM authenticated encryption for sensitive fields at rest (MFA secrets, webhook credentials, API keys)
  • PBKDF2-SHA256 password hashing with 310,000 iterations and unique per-user salts (OWASP 2023)
  • Constant-time cryptographic comparisons to prevent timing side-channel attacks
  • Automatic hash upgrades — legacy passwords re-hashed on login without user action

👤 Authentication

  • HttpOnly, Secure, SameSite=Strict session cookies — not accessible to JavaScript
  • Multi-factor authentication (TOTP) with encrypted secret storage and single-use backup codes
  • Microsoft Entra ID (Azure AD) SSO with PKCE OAuth 2.0 flow
  • Brute-force protection: 5 attempts per IP, 10 per username in 15-minute window
  • Session idle timeout (15 min) and absolute timeout (1 hour)
  • Secure password reset with time-limited, single-use tokens and SHA-256 token hashing

👥 Access Control

  • Role-based access control (RBAC) with four roles: superadmin, admin, analyst, viewer
  • 16 granular permission keys covering all DORA pillars and administrative functions
  • Privilege escalation safeguards — custom permissions merge with role floor, never override upward
  • Page-level and API-level permission enforcement
  • Multi-tenant isolation — per-tenant database queries prevent cross-tenant data access

🛡 Application Security

  • Content Security Policy (CSP) on all pages, with strict rules for the application dashboard
  • HTTP Strict Transport Security (HSTS) enforced with 63-day max-age
  • X-Frame-Options: DENY to prevent clickjacking
  • X-Content-Type-Options: nosniff to prevent MIME sniffing
  • HTML sanitisation for user-generated content — blocks scripts, event handlers, dangerous URIs
  • CORS allowlist with per-request validation
  • 4-layer CSRF defence: SameSite cookies, CORS, Content-Type enforcement, cookie-only auth

👁 Monitoring & Audit

  • Timestamped, user-attributed audit trail for every data modification
  • Audit logs retained for a minimum of 5 years (DORA compliance)
  • Failed login tracking with IP address and User-Agent for security investigation
  • Real-time error monitoring via Sentry with PII automatically stripped before transmission
  • Uptime monitoring via Betterstack with instant alerting
  • SHA-256 hash verification on all uploaded files for integrity assurance

🌎 Data Residency & Privacy

  • All customer data stored within the EU on Cloudflare's European infrastructure
  • Built in Norway — subject to Norwegian and EU data protection law
  • GDPR-compliant processing with published Data Processing Agreement
  • No advertising, no data selling, no third-party data acquisition
  • Analytics (GA4) consent-based only — blocked by default until user opts in
  • Full data export (JSON, CSV) and secure deletion available on request

Infrastructure Architecture

Edge
Cloudflare CDN
Global distribution, DDoS protection, WAF, TLS termination
Compute
Workers (V8 isolates)
Serverless, no shared memory between tenants, auto-scaling
Database
D1 (SQLite)
EU-located, encrypted at rest, automated backups
Storage
R2 Object Storage
EU-located, S3-compatible, SHA-256 verified uploads
AI
Workers AI
On-platform inference, no external API calls, data stays in Cloudflare

Compliance Alignment

Our security practices are designed to align with the frameworks our customers are required to follow.

🏙

DORA (EU 2022/2554)

Our platform is purpose-built for DORA. Our own operational resilience follows the same principles: audit trails, access controls, incident response, and third-party oversight.

🔐

GDPR (EU 2016/679)

Data processing in accordance with GDPR. Published DPA with Annex C technical measures. Data subject rights supported via built-in export tools. EU data residency.

🛠

ISO 27001 Aligned

Security controls follow ISO 27001/27002 best practices: access management, cryptography, operations security, communications security, and supplier relationships.

📋

OWASP Guidelines

Application security follows OWASP Top 10 recommendations. Password hashing meets OWASP 2023 iteration guidelines. Input validation and output encoding throughout.

Frequently Asked Questions

Where is my data stored?
All customer data is stored within the European Union on Cloudflare's infrastructure. The database (D1) and file storage (R2) are EU-located. We do not replicate customer data outside the EU/EEA.
Who has access to my data?
Only your organisation's Authorised Users can access your data, governed by the RBAC roles you assign. Our team has limited infrastructure access for operational purposes, subject to confidentiality obligations and least-privilege principles. We never access customer data for non-operational purposes.
Do you have a Data Processing Agreement?
Yes. Our DPA is publicly available and covers all GDPR Article 28 requirements, including sub-processor lists, technical measures, breach notification procedures, and audit rights.
What happens if there is a security incident?
We notify affected customers within 36 hours of becoming aware of a data breach, exceeding the GDPR 72-hour requirement to give you time to notify your supervisory authority. We provide full details including scope, impact, and remediation steps.
Can I export my data?
Yes. The platform provides full data export in JSON and CSV formats at any time. Upon termination, data is available for export for 30 days, after which it is securely deleted within 90 days.
Do you support MFA and SSO?
Yes. We support TOTP-based multi-factor authentication for all users, with encrypted secret storage and single-use backup codes. Microsoft Entra ID (Azure AD) SSO is available for organisations using Microsoft identity.
Is the AI processing secure?
AI-assisted features (incident classification, contract review) run on Cloudflare Workers AI — the inference happens within Cloudflare's infrastructure, not via external APIs. Your data is not sent to third-party AI providers and is not used to train models.
Do you perform penetration testing?
We conduct regular security assessments of our platform. Customers on the Enterprise tier may request penetration test reports. If you discover a vulnerability, please report it to [email protected].

Questions about security?

We're happy to discuss our security practices in detail with your procurement and IT teams.

Request a Demo View our DPA