The security of your data is the foundation of the Vaivatta service. This page explains, in plain language, how we protect the service, where your data lives, and how we prepare for incidents.
Where your data lives
All Vaivatta core systems and customer data live in Hetzner Online GmbH's Helsinki data centre in Tuusula. Your data never leaves the EU/EEA — not even in backups or analytics.
Hetzner Data Center Park Helsinki, Huurrekuja 10, 04360 Tuusula
Encryption
- In transit: all connections are encrypted with TLS 1.3
- At rest: server disks are encrypted — physical disk theft would not expose your data
- Passwords: your own credentials are stored hashed (Argon2id) — we cannot read them
- Per-customer credentials: stored in your organisation's Passbolt vault, which we may access only in a controlled way to perform contracted tasks
Access control
- Production access is restricted to a small named core team
- Administrative access always requires two-factor authentication (TOTP or hardware key)
- Permissions are granted on a least-privilege basis and reviewed annually
- All production access is logged — on request we'll send a summary of access events affecting your organisation
Monitoring and logging
- Service health is monitored 24/7 by automated checks
- Security-relevant events — sign-ins, permission changes, contract-level actions — are written to an auditable log
- Logs are retained for 12 months and reviewed in incident response
- Alerts on anomalies are routed to the on-call engineer
Updates and vulnerabilities
- Security updates are deployed promptly — critical ones within 24 hours of release
- Dependencies are scanned automatically for known vulnerabilities on every release
- Regular security and code reviews are part of the development process
Backups
Database and file-level backups are part of your service contract. Backup frequency (e.g. daily or more often), retention period, and restore time are written into your contract. Backups are stored encrypted in a second EU location so a single data-centre incident can't compromise recovery.
Incident response
If we detect a security incident that may affect your personal data, we'll notify you without undue delay — within 72 hours of detection at the latest, in line with GDPR. The notice will describe what happened, an impact assessment, what we've already done, and a contact for follow-up questions.
Our service providers
We use the following trusted providers to deliver the service. All of them process data inside the EU.
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server capacity and storage | Finland (Tuusula) |
| Stripe Payments Europe Ltd. | Payment processing | Ireland (EU) |
| Meta Platforms Ireland Ltd. | Customer messaging via the WhatsApp Business API | Ireland (EU) |
| Cloudflare, Inc. (R2) | Media storage | EU region |
| Twilio Sendgrid Ireland | Outbound email | Ireland (EU) |
The current subprocessor list is always available in our Data Processing Agreement. Mosparo (bot protection) and the per-customer Passbolt vault run on our own infrastructure inside Hetzner — they are not separate subprocessors.
Your part
Security is a shared responsibility. You can help by:
- Using a strong, unique password for your Vaivatta account
- Not sharing sign-in links or credentials with others
- Enabling two-factor authentication as soon as it becomes available
- Letting us know immediately if you suspect your account has been compromised
Reporting security issues
If you spot a security issue or vulnerability in our service, please report it to us right away. We treat security reports as priority and keep the reporter informed about remediation.
- Security reports
- [email protected]
Standards
Our security practices are designed around the control categories of ISO/IEC 27001. We are not currently certified, but we apply the standard's principles across our development and operations.