Security
Last updated: March 12, 2026
1. About This Page
This page describes the security practices and technical controls in place for both our marketing website at omnitrex.eu and the Omnitrex GRC platform at app.omnitrex.eu.
For details on personal data processing, legal bases, sub-processors, cookies, and your rights under GDPR, see our Privacy Notice.
2. Infrastructure & Hosting
- Website: hosted on Vercel, EU regions preferred, delivered via global edge network
- Platform database: PostgreSQL on Neon (Frankfurt, AWS eu-central-1), SSL required for all connections
- File storage: Cloudflare R2 (EU)
- Error monitoring: Sentry, EU data center (Frankfurt, de.sentry.io)
All primary data storage and processing takes place within the European Union.
3. Encryption
| Layer | Standard | Details |
|---|---|---|
| In transit | TLS 1.3 | All connections to omnitrex.eu and app.omnitrex.eu |
| At rest (database) | Provider-managed encryption | Neon PostgreSQL with encryption at rest |
| At rest (application) | AES-256-GCM | Envelope encryption with per-tenant keys for sensitive PII fields |
| At rest (file storage) | Provider-managed encryption | Cloudflare R2 server-side encryption |
| Password hashing | bcrypt (12 rounds) | Industry-standard adaptive hashing |
| Token storage | SHA-256 | Refresh tokens, password reset tokens, email verification tokens stored as hashes |
4. Authentication & Access Control
- Password requirements: minimum 8 characters, uppercase, lowercase, number, special character
- OAuth single sign-on: Google and Microsoft supported
- Session management: JWT with 1-hour access tokens, 7-day refresh tokens (HttpOnly, Secure, SameSite cookies)
- Role-based access control (RBAC): Admin, Editor, Viewer roles with domain-level permission scoping
- API key authentication: scoped permissions (read/write per resource), bcrypt-hashed storage, usage tracking
We do not currently offer multi-factor authentication (MFA). This is on our security roadmap.
5. Application Security
- Security headers: Content Security Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), strict Referrer-Policy, Permissions-Policy (camera, microphone, geolocation disabled)
- Backend protection: Helmet.js security middleware
- CORS: strict origin whitelist, credentials mode
- Bot protection: honeypot fields on public forms
- Input validation: Zod schema validation on all API inputs
Rate Limiting
| Endpoint | Limit | Window |
|---|---|---|
| Login | 5 attempts | 15 minutes |
| Registration | 3 attempts | 1 hour |
| Contact form (website) | 3 submissions | 1 hour |
| General API | 100 requests | 1 minute |
| API key | 60 requests | 1 minute |
6. Audit Logging
- Every node change logged with: action, field, old/new values, user, IP address, user agent, timestamp
- AI-generated changes tracked with model and session identifiers
- API key usage logged per-request with daily aggregation
- User lifecycle events: creation, login, password changes, account deletion
7. Data Protection & GDPR
- GDPR compliant: processing in accordance with GDPR requirements
- Data export: users can request a full export of their personal data (Art. 15)
- Account deletion: soft delete with 30-day grace period, then permanent removal
- Email verification: required within 48 hours of registration
- Working towards ISO 27001: our 12-month security program is aligned with ISO 27001 Annex A controls
For full details on data processing, legal bases, sub-processors, and your rights, see our Privacy Notice.
8. Business Continuity
- Database: Neon PostgreSQL with built-in point-in-time recovery
- File storage: Cloudflare R2 with built-in redundancy
- Deployment: zero-downtime deployments via Vercel
- Health monitoring: automated health checks on all services
9. Open Source Transparency
- The Omnitrex GRC platform is source-available under BUSL-1.1
- Security-relevant code can be independently audited
- We welcome community review of our security implementations
- See our GitHub repository for full source code
10. Security Headers (Website)
| Header | Value | Purpose |
|---|---|---|
| X-Frame-Options | DENY | Prevent clickjacking |
| X-Content-Type-Options | nosniff | Prevent MIME sniffing |
| Referrer-Policy | strict-origin-when-cross-origin | Control referrer information |
| Permissions-Policy | camera=(), microphone=(), geolocation=() | Disable sensitive browser APIs |
| Content-Security-Policy | Restrictive policy with nonce-based scripts | Prevent XSS and injection |
11. Responsible Disclosure
We welcome responsible disclosure of potential vulnerabilities. If you discover a security issue, please contact us at info@omnitrex.eu.
12. Contact
Security questions: info@omnitrex.eu
Contact form: omnitrex.eu/contact (select "Technical Inquiry")
Privacy matters: see our Privacy Notice