Skip to content
TRUST CENTER

Security, transparently.

A page for security and procurement teams evaluating DataNostro as a vendor. You'll find the architecture, sub-processors, GDPR and compliance status, retention rules, incident response, and pre-filled answers to SIG-Lite. No marketing phrases, no promises we don't yet keep.

Contact the security team Download the DPA

Current status (live)

OPERATIONAL STATUS
All operational
measured by an automatic health-check every 60s
DATA RESIDENCY
EU / EHP
EU Tier III data center (Germany)
ENCRYPTION IN TRANSIT
TLS 1.2 / 1.3
Let's Encrypt + HSTS, A+ on SSL Labs
ENCRYPTION AT REST
LUKS / AES-256
Disk-level on all nodes + Postgres

Compliance status — what we have and what we don't

We'll say it plainly: we're a Czech sole trader with a small team, so formal audits are expensive and still planned. If your procurement process requires a specific cert, let us know — we'll either sort it out or honestly say that we can't meet your prospect's bar.

Standard Status Detail
GDPR (EU 2016/679) ✓ Active GDPR page · DPA
Standard Contractual Clauses (SCC EU 2021) ✓ Modules 2+3 signed Only for Cloudflare as a sub-processor; the rest in the EU/EEA
ISO 27001 ✓ Inherited The hosting layer is ISO 27001 + 9001 certified
ISO 27001 (DataNostro) Planned Target date Q4 2026, selecting a CAB in the Czech Republic (CQS / BSI Czech / TÜV NORD CZ) in progress
SOC 2 Type I / II — We don't have it If your procurement process explicitly requires SOC 2, tell us — we'll either speed it up or recommend another vendor
PCI DSS ✓ N/A We don't process payment cards (bank transfers)
HIPAA / BAA — Not supported Don't use for healthcare data — see the DPA, Art. 4 (special categories)
Schrems II ✓ Compliance ensured Tracking-pipeline data never leaves the EU; Cloudflare only for the main domain, under SCC

Security architecture

High-level. A detailed whitepaper is available on request under NDA for Enterprise clients.

Network isolation

  • Per-tenant Docker network namespaces + iptables
  • No access between sGTM containers
  • Nginx reverse proxy with rate-limiting per IP and per tenant
  • Only 80/443 exposed publicly, everything else behind a firewall

Encryption

  • In transit: TLS 1.2 / 1.3, Let's Encrypt auto-renewal, HSTS
  • At rest: LUKS disk encryption
  • DB: PostgreSQL on an encrypted disk, no application-level fields
  • Platform API keys: Fernet symmetric encryption in the DB, keys in the env

Authentication and access

  • PBKDF2-SHA256 password hashing (Django default, 600k iterations)
  • MFA / TOTP optional for every user
  • 14-day session timeout, separate API keys with manual rotation (per-tenant Owner)
  • RBAC: Owner / Admin / Member / Viewer per tenant
  • SSO (SAML 2.0) for the Enterprise plan

Logging and audit

  • An append-only audit log of all privileged actions (90-day retention)
  • Real-time event capture (15 days) for debugging
  • Health-check + capacity monitoring with email alerting
  • No PII in application logs (sanitized)

Data processing — what, where, how long

Concrete answers for the vendor questionnaire. If something's missing, write to us — we'll add it.

What data we process Tracking data sent from the browsers of the customer's end users (page_view, purchase, etc.) — IP, user-agent, cookie ID, order value, cart items. No credit cards, no sensitive personal data (Art. 9 GDPR).
Where the data resides EU only — an EU Tier III data center (Germany). No transfer outside the EU/EEA for the tracking pipeline.
How long we keep data Raw tracking traffic: not stored (proxied to the target platforms). Event capture for debugging: 15 days. Aggregated statistics (request log per hour): 24 months. Invoices: 5 years under § 35 of Act No. 563/1991 Coll.
Data deletion on request Self-service: /dashboard/nastaveni/ → Cancel account. Deletion happens within 30 days (a legal obligation). Invoices remain under § 35 of Act No. 563/1991 Coll.
Data export A self-service ZIP export from /dashboard/export/ — the entire tenant configuration, events, GTM workspace JSON, invoices. No support ticket, anytime.
Sub-processors An EU Tier III data center (Germany), Cloudflare Inc. (USA — only the main domain datanostro.com), Seznam.cz a.s. (CZ — outbound transactional SMTP). The full list including company IDs and safeguards is in the DPA.
Backups and DR A daily pg_dump to a second EU region, 30-day retention, restore tested monthly. RPO 24h, RTO 4h for a full restore.
Continuity if DataNostro ends sGTM containers are standard Google images, the GTM workspace is standard JSON. Migration to any other managed host, your own server, or the cloud takes hours. For the Enterprise plan, source-code escrow via a notary — see the contract.

Incident response and notification obligations

  • Detection

    Health-check every 60s, capacity alerts on a sustained breach (CPU/mem/disk/PG/queue), real-time error monitoring.

  • Escalation

    Alert email → founder (8/5, typically < 30 min response; outside business hours < 2h).

  • Notification under Art. 33 GDPR

    The ÚOOÚ within 72 h of detection. The Client (Controller) without delay once the scope is confirmed, max within 48 h.

  • Public communication

    A status update on /status/ + an email to all affected tenants. A post-mortem within 14 days for significant incidents.

Vulnerability reporting

We don't have a bug bounty yet, but we do have responsible disclosure.

  • Send reports to [email protected], ideally PGP-encrypted (key on request).
  • A response within 48 h, a fix according to severity (critical < 7 days, high < 30 days, medium < 90 days).
  • No legal action against researchers who comply: don't damage data, don't use social engineering, don't disclose until the fix + 30 days.
  • We'll set up a Hall of Fame with the first valid finding; until then, just a thank-you by email.

Documents to download

Terms of Service Client contract (Terms), v2.1 DPA (Art. 28 GDPR) Data Processing Agreement, v2.1 GDPR information Data subjects' rights, retention, sub-processors Acceptable Use Policy Prohibited use cases, clean legal ground Cookies policy Our own website — minimal usage Complaints policy The complaints and refund procedure Security Whitepaper Security architecture, 14 sections for an IT review NDA template A mutual non-disclosure agreement to sign MSA (Enterprise) A master agreement with SLA penalties and audit rights

We share detailed documents (the DR playbook, sub-processor risk assessment, ISMS documentation) under NDA for Enterprise clients. We plan an external pen-test for Q4 2026 and will make a redacted report available once it's complete — write to [email protected].

Pre-prepared answers (SIG-Lite excerpt)

A selection of the most-asked questions from the vendor questionnaire (Shared Assessments SIG-Lite).

A. Risk management — do you have an ISMS in place?

Not a formal ISO 27001-certified ISMS yet — we plan it for Q4 2026. We operate a documented internal security framework (the technical and organizational measures under Art. 32 GDPR), described in the DPA. We review risks quarterly; documentation is available on request under NDA.

B. Asset management — who has access to the production systems?

Only the founder (Jan Malatinský). SSH keys with a passphrase, MFA into the admin interface, an audit log of all privileged actions (append-only, 90-day retention). No third-party support has root access to tenant data.

C. Network security — segmentation, firewalls, DDoS?

Per-tenant Docker network namespaces, an iptables firewall, only 80/443 exposed publicly, everything else behind a cloud firewall. DDoS protection via Cloudflare on the main domain. Rate-limiting per IP and per tenant at the nginx layer.

D. Application security — code review, SAST, dependency scan?

All code is reviewed before merge. Dependabot for security updates of critical dependencies. Static analysis via pre-commit hooks. A penetration test is planned for 2026 Q4 (after ISO 27001 readiness). An external pen-test on request for Enterprise.

E. Vulnerability management — patching, CVE response?

Auto-patching of the OS via unattended-upgrades. Dependencies via Dependabot with a weekly review. We address critical CVEs within 7 days, high within 30 days. The procedures are described in the "Vulnerability reporting" section above.

F. Business continuity — RTO, RPO, DR test?

RPO 24h (daily pg_dump), RTO 4h for a full DB restore. The DR runbook is tested monthly. Backups to a second EU region, 30-day retention (daily) + a monthly offline copy. The full DR plan is available under NDA.

G. Insurance — do you have liability insurance?

The contractual liability cap is set out in the main Terms (Art. 19) and the DPA. A standard liability policy for a sole trader and separate cyber-insurance are an open item on our side — if your procurement process requires specific coverage, tell us the parameters and we'll agree it in the contract.

A question that's missing here?

If your security team needs a specific answer, document, or NDA-protected whitepaper, write directly. A response typically within one working day.

[email protected] [email protected]