Skip to main content

Trust & Security

Your data. Your control.

This page documents how vucavoid protects your data, who has access to it, and what commitments we make. No marketing fluff. Just facts.

Last updated: April 2026

Start your 30-day trial See our pricing

Our commitments

What we commit to

Data Sovereignty

vucavoid runs entirely on European infrastructure. All application servers, databases, and backups are hosted at Hetzner in Germany. Transactional email is handled by Scaleway in France. No data is transferred to third countries. No US cloud providers are involved in core operations. No CLOUD Act exposure, no Schrems II risk.

No AI Commitment

vucavoid does not use AI to process, analyze, or enrich your GRC data. Not for features, not for analytics, not for training. Your risk assessments, control weaknesses, incident details, and compliance gaps never touch an AI model. This is a deliberate product decision.

No Tracking

vucavoid does not embed tracking pixels, third-party measurement tools, or advertising identifiers. There is no behavioral profiling, no partner data sharing, and no cookie-based tracking. We use Pirsch, a privacy-first analytics tool, to measure anonymous page views on our marketing site. No personal data is collected, no individuals can be identified, and no data is shared with third parties. Inside the application, there is zero tracking.

GDPR & CCPA Compliant

vucavoid is fully compliant with both GDPR and CCPA. Our payment processor, Paddle, is a certified PCI DSS Level 1 Service Provider. We never see or store your payment details. All tenants are fully isolated. No cross-tenant data access is possible, by design. Users can request full account anonymization at any time. Data processing agreements are available on request.

Technical details

Application Security

vucavoid is built on infrastructure provided by Hetzner, a German cloud hosting company with ISO 27001 certification. All data processing happens within Germany.

All hosting occurs exclusively within Germany through Hetzner. All of your data is physically stored within Germany. You can review Hetzner's security documentation for details on their physical security measures.

All communication between users and the application is encrypted in transit using TLS. This applies equally to regular usage and any maintenance activities performed by staff.

By default, no team member or third party has access to client data. Exceptions are made only upon explicit client request for support or troubleshooting, and access is limited to authorized personnel who have undergone vetting. Automated security scans may temporarily access client data in a technical capacity. These scans are fully automated, with no human viewing or copying of data. Data ownership remains with you. We process it strictly under GDPR and CCPA.

We retain your data for the duration of your contract. After the contract ends, all client data is deleted, except where legal retention periods apply. Backups run at least daily and are retained for 60 days. After contract termination, client data may persist in backups for up to 61 days. Individual users can request their application admin to anonymize their accounts. All deletion actions in vucavoid are irreversible.

Our infrastructure is hosted with Hetzner in Germany. Hetzner provides uninterruptible power supplies (N+1 redundant UPS), a 2.5 MVA diesel generator, and power supply via two separate power paths. All data center parks are connected via redundant dark fiber connections with n*100 Gbit/s bandwidth between data centers.

Third-party vendors

Third-party sub-processors

We employ the following third-party processors:

Provider Purpose Country Website Access to client data
Ploi Deployment, Scripts Netherlands ploi.io No
Scaleway Transactional Email France scaleway.com Technically to emails sent by the application
Hetzner Hosting, Housing Germany hetzner.com Infrastructure access only. Contractually prohibited, ISO 27001 certified.
Oh Dear Monitoring Belgium ohdear.app No
ProView Development Netherlands No per default, only in case of relevant debugging

How we work

Internal Security Measures

Security is embedded in how we operate, not bolted on after the fact.

Personnel Security

All team members undergo background checks and must acknowledge our security policy while signing a confidentiality agreement.

Identity & Access Management

Unique logins for all critical systems, two-factor authentication wherever possible. Access permissions are regularly audited under the principle of least privilege.

Hardware Security

Employee laptops are managed, equipped with encrypted hard drives, and protected by anti-malware software.

Network Security

Internal network secured with restricted access, segmentation, traffic inspection (including IPS), and reviewed firewall rules. No remote access to office networks.

Security Education

New hires complete security training within their first two weeks. Developers complete secure coding training. We actively participate in relevant security networks.

Application Security

Every new feature or bug fix undergoes review and testing before deployment. No update ships without passing these checks.

Vendor Security

We evaluate vendor security using a risk-tiered approach based on the vendor's role, data access level, network integration, and overall security maturity.

Your compliance data is not a product. It is not training data. It is not for sale. It stays in Europe, encrypted, under your control.

EU hosted, no exceptions
No AI features, no data harvesting
GDPR-native by design
Unlimited users, always

Responsible Disclosure

If you believe you have discovered a vulnerability in vucavoid, please submit a report to:

vucavoid does not participate in a public bug bounty program at this time, nor do we provide monetary rewards for publicly reported findings.

We encourage responsible disclosure. This means:

  1. 1 Accessing or exposing only your own client data.
  2. 2 Not extracting information from our infrastructure, including source code, backups, or configuration files.
  3. 3 Reporting any findings of remote access to our system promptly, without accessing additional servers or escalating privileges.
  4. 4 Avoiding scanning techniques that may affect service for other customers.
  5. 5 Complying with the guidelines in our Terms of Service.
  6. 6 Keeping vulnerability details confidential until vucavoid has been notified and given reasonable time to address the issue.

If you believe your account has been compromised or you are seeing suspicious activity, please report it using our support contact form.

See for yourself

Start your free 30-day trial. No credit card required. Full access to every feature.

Start your 30-day trial See our pricing

Cookie Use on Our Site

To ensure the smooth functioning of our website, we use a limited number of cookies. These cookies are essential for providing you with the services available on our website and to use some of its features. Here is a brief overview:
  • vucavoid_session: This cookie is essential for user authentication. It ensures that your session is secure and recognizes you as you navigate through our site.
  • XSRF-TOKEN: This cookie is critical for website security. It helps protect against cross-site request forgery attacks.
  • latest_marketing_banner_visible_{MARKETING_BANNER_ID}: This cookie simply remembers if you have seen our latest site banner, enhancing your browsing experience without tracking your personal data.

These cookies are strictly necessary to deliver the website, and therefore, we do not require your consent to place these cookies. For more information, please visit our Privacy Policy.