Security and compliance at Secfix

Effective date:Β June 9, 2026

Protecting personal and customer confidential information is our top priority. For the sake of our customers, our business ethics and values, we don't compromise or cut corners when it comes to data security. As part of that commitment, we operate with the utmost transparency. The following overview provides a high-level look at the ever-evolving security practices we have in place.

This page summarizes how we protect customer data. For evidence - certificates, reports, sub-processor list, security policies, and real-time control status - visit our Trust Center.

‍

Certifications and compliance

Framework Status Evidence
ISO/IEC 27001:2022 Certified Certificate available in Trust Center
SOC 2 Type II Audited Report available under NDA via Trust Center
TISAX Certified (AL2) Participant data via ENX Portal
GDPR Compliant Records of Processing, DPA, and sub-processor list available

‍

Our GDPR program is governed by an internal Data Protection Officer and reviewed as part of our ISO 27001 ISMS.

To request audit reports, completed CAIQ, SIG, or vendor security questionnaires, contact security@secfix.com or use the access request feature in our Trust Center.

‍

Data residency and hosting

Secfix is built in Germany and operates exclusively on European cloud infrastructure. Customer data is stored and processed within the EU. We do not transfer customer data outside the EEA without a documented legal basis (Standard Contractual Clauses or equivalent), which is disclosed in our sub-processor list.

‍

Our cloud providers maintain independent attestations against ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1/2/3, PCI DSS, and C5 (BSI). We do not operate our own data centers, routers, DNS, or load balancers.

‍

Encryption

  • In transit: TLS 1.2 or higher for all client-to-service and service-to-service communication. HSTS enforced on web endpoints. Refer to our public SSL Labs report linked in the Trust Center.
  • At rest: AES-256 for stored data; volume- and database-level encryption enabled by default. Backups are encrypted with the same standard.
  • Key management: Keys are managed in our cloud provider's KMS with separation of duties between key custodians and data administrators. Customer-managed keys are available on enterprise plans.

‍

Application security

We treat the application layer as our highest-risk surface.

‍

  • Secure SDLC. Security requirements are defined at design, code is peer-reviewed before merge, and deployment requires automated checks to pass. Threat modeling is conducted for new services and material changes.
  • Static and dynamic analysis. Every pull request is scanned with SAST and software composition analysis (SCA) for known vulnerabilities in dependencies. Production endpoints are scanned with DAST on a recurring schedule.
  • Dependency management. Vulnerable dependencies are patched on a defined SLA based on CVSS severity (Critical: 7 days, High: 30 days, Medium: 90 days).
  • Penetration testing. Independent third-party penetration tests are conducted at least annually against the production environment. Executive summaries are available under NDA via the Trust Center.
  • Runtime protection. A web application firewall and runtime protection layer monitor and block common attack patterns (OWASP Top 10, business logic abuse). Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) are enforced.

Frameworks we reference. Our application security program is benchmarked against OWASP ASVS, OWASP Top 10, SANS Top 25, and MITRE ATT&CK.

‍

Infrastructure and network security

  • Segmentation. Production, staging, and corporate networks are isolated. Production access requires SSO with phishing-resistant MFA and is logged.
  • Hardening. Infrastructure is provisioned as code from reviewed templates. Drift detection runs continuously.
  • Monitoring. Centralized logging captures authentication, access, and administrative events. Alerts route to on-call engineers. Logs are retained per policy and protected against tampering.
  • DDoS protection. Edge protection is provided by our cloud and CDN providers and is active by default.
  • Vulnerability management. Infrastructure is scanned continuously. Findings are triaged, owned, and remediated against the SLA above.

‍

Identity and access management

  • Internal access follows least privilege and is reviewed at least quarterly.
  • All internal systems require SSO with MFA.
  • Production access is just-in-time, time-bound, and audit-logged.
  • Employee onboarding and offboarding access changes are completed within one business day.

‍

People security

  • Background checks are conducted for all new hires where legally permitted.
  • All employees and contractors sign confidentiality agreements as a condition of employment.
  • Security awareness training is mandatory at onboarding and annually thereafter. Role-specific training (secure coding, data handling, incident response) is delivered to engineering and operations staff.
  • Acceptable use, data classification, and remote work policies are in force and acknowledged annually.

‍

Vendor and sub-processor management

We assess every vendor that handles customer data before engagement and re-assess on a defined cadence. Our current sub-processor list is published in the Trust Center, including processing purpose and data location. We notify customers of material sub-processor changes per our Data Processing Agreement.

‍

Incident response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. The plan is tested at least annually.

‍

In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay and within the timeframes required by GDPR and our Data Processing Agreement. Communication is delivered through your designated security contact and through our Trust Center.

Report a security incident or suspected compromise: security@secfix.com

‍

Business continuity and disaster recovery

  • Customer data is backed up daily, encrypted, and stored in a separate availability zone.
  • Recovery objectives (RTO and RPO) are defined per service tier and tested at least annually.
  • Our business continuity plan covers personnel, supplier, and infrastructure failure scenarios.

‍

Data retention and deletion

Customer data is retained for the duration of the agreement. Upon termination, customers may export their data through the platform for 60 days. After 60 days, data is permanently deleted from production systems; backup retention follows our published schedule and is documented in our Data Processing Agreement.

Individual data subjects may exercise their rights under GDPR (access, rectification, erasure, portability, restriction, objection) by contacting privacy@secfix.com or through the controller of their data.

‍

Customer responsibilities

Security is a shared responsibility. Customers are responsible for:

  • Configuring strong authentication for their users (we recommend SSO with MFA).
  • Managing roles and permissions appropriately within their workspace.
  • Protecting credentials and API tokens.
  • Reviewing audit logs and Trust Center access requests.
  • Maintaining accurate administrator contact information.

We publish a customer security guide in our Help Center to support each of these.

‍

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in our application or infrastructure, please email security@secfix.com with:

  • A clear description of the issue and the affected component.
  • Steps to reproduce, including a proof of concept where possible.
  • Your contact information for follow-up.

‍

Scope and rules of engagement:

  • Test only against accounts and data you own.
  • Do not run automated scanners against production beyond what is necessary to demonstrate the issue.
  • Do not access, modify, or exfiltrate other users' data.
  • Do not publicly disclose the issue until we have confirmed remediation.

‍

We will acknowledge receipt within two business days and will not pursue legal action against researchers who follow this process in good faith. We currently do not operate a paid bug bounty program but recognize researchers in our Hall of Thanks on request.

‍

Information Security Policy

Our Information Security Management System (ISMS) is governed by a formal Information Security Policy, approved by management and reviewed at least annually. The policy commits Secfix to:

  • Protecting the confidentiality of customer and company information against unauthorized disclosure.
  • Maintaining the integrity of information against unauthorized modification.
  • Ensuring the availability of information to authorized users when needed.
  • Granting access on a least-privilege basis, with privileged access strictly controlled and reviewed.
  • Meeting and, where reasonable, exceeding applicable legal, regulatory, and contractual requirements.
  • Developing, maintaining, and testing business continuity plans.
  • Providing security training and embedding security responsibilities into role descriptions.
  • Protecting employees who report security concerns in good faith from retaliation.
  • Investigating and responding to all reported or suspected information security breaches.

The full policy and supporting standards are available to customers and auditors via the Trust Center under NDA.

Topic Contact
Security vulnerabilities and incidents security@secfix.com
Privacy, GDPR requests, DPA privacy@secfix.com
Compliance evidence and questionnaires Trust Center
General inquiries hello@secfix.com

‍

Secfix GmbH, Salvatorplatz 3, 80333 Munich

‍