Security & GDPR

How we protect your data.

Self-hosted on a single Hetzner VPS in Germany. TLS 1.3 everywhere, age-encrypted backups, role-based access, full GDPR rights. No third-party identity provider, no warehouse, no broker.

TLS 1.3GDPR-compliantLatvia VID-registeredSelf-hostedEncrypted backups
Encryption

Data encryption — in transit, at rest, and on backup.

Every request between your browser and our servers runs over TLS 1.3. Older protocols are disabled. HSTS is on with a 12-month policy. Caddy reverse-proxies all of our traffic and rotates certificates from Let's Encrypt every 60 days.

Postgres lives on the same VPS as the application — no public port. At rest, the database disk is on encrypted Hetzner cloud storage. Backups are encrypted with age before they are uploaded off-host to Hetzner Storage Box.

Access controls

Who can see what.

Customer accounts use Auth.js (NextAuth v5) with email magic-link as the primary sign-in. No passwords are required by default. A long-form Argon2id password is available for customers who prefer it.

Admin access requires the same magic-link plus a second factor (TOTP). We enforce role-based access: customer, operator, admin. Operators never see another customer's data. Admins can, and every read is audit-logged.

Backups

Daily, encrypted, off-host.

Postgres is dumped daily and uploaded — already age-encrypted — to Hetzner Storage Box. Retention follows a 7-day + 4-week + 6-month ladder, so we can restore from yesterday, last month, or six months ago.

We test restores monthly. A restore is not a backup until you've actually restored from it once.

GDPR rights

Your rights as a data subject.

Under the GDPR, you can ask us to give you a copy of your data, fix something we have wrong, port your data elsewhere in a machine-readable format, or erase your account. We respond inside the 30-day window the law requires — usually within 72 hours.

Subprocessors

Companies that touch your data, and what they do.

  • Hetzner Online GmbH (Germany) — VPS hosting and Storage Box for encrypted backups.
  • Stripe Payments Europe Ltd (Ireland) — subscription billing. We never see your full card number.
  • Transactional SMTP — TBD (Brevo free tier likely) — one-off emails (magic-links, receipts, filing confirmations).
  • Plausible Analytics (self-hosted) — anonymous, cookieless page-view counts. No personal data leaves our VPS.
Incident response

What happens if something goes wrong.

Uptime Kuma checks every service every 60 seconds. On-call rotation is one phone, one number. If something breaks, we triage within 30 minutes during working hours, four hours outside them.

If a security incident affects your data, we will tell you directly — by email and by WhatsApp — inside the 72-hour GDPR notification window. We will also tell you what we have done, and what you should do next.

Responsible disclosure

Found a vulnerability?

We welcome reports from security researchers. Email security@rozofinance.com (TBD until launch) with a description and reproduction steps. We acknowledge inside one working day and aim to fix critical issues within 30 days.

Please do not run automated scans against production. We will publish a formal disclosure policy alongside launch.