— SOC 2 Type II · ISO 27001 Aligned · GDPR Compliant

Security at Obtura

Security is not an afterthought at Obtura — it is foundational to everything we build. Our autonomous deployment platform is built with enterprise-grade security controls to protect your applications, data, and infrastructure.

Security Overview

Encryption Everywhere

256-bit AES at rest, TLS 1.3 in transit

SOC 2 Type II

Independently audited annually

EU Data Residency

100% EU-hosted, GDPR compliant

Obtura operates a defense-in-depth security architecture. From infrastructure hardening to application security, we implement multiple layers of protection to ensure your deployments are secure by default.

Encryption & Data Protection

Encryption at Rest

256-bit AES encryption for all stored data
Encrypted database volumes with rotating keys
Encrypted backups in geographically separated locations
Hardware Security Modules (HSMs) for key management
Automatic key rotation every 90 days
End-to-end encrypted secrets vault

Encryption in Transit

TLS 1.3 enforced for all connections
TLS 1.2 minimum supported
HSTS (HTTP Strict Transport Security) enabled
Perfect Forward Secrecy (PFS) with ECDHE
Certificate pinning for API connections
Automatic certificate renewal and monitoring

Infrastructure Security

Network Security

  • Zero-trust network architecture
  • Network segmentation and micro-segmentation
  • DDoS protection and mitigation
  • Web Application Firewall (WAF)
  • Intrusion Detection/Prevention Systems (IDS/IPS)
  • VPC isolation per customer

Access Controls

  • Role-Based Access Control (RBAC)
  • Multi-Factor Authentication (MFA)
  • Single Sign-On (SSO) support
  • Principle of least privilege
  • Just-in-time (JIT) access for sensitive operations
  • Privileged Access Management (PAM)

Data Residency

All customer data is stored exclusively within EU data centers (Frankfurt and Amsterdam). Your data never leaves the European Economic Area (EEA).

Application Security

Secure Development Lifecycle (SDLC)

Security requirements in design phase
Automated static application security testing (SAST)
Dependency vulnerability scanning
Code review with security focus
Secure coding training for developers

Runtime Protection

Runtime Application Self-Protection (RASP)
Input validation and sanitization
Output encoding to prevent XSS
CSRF protection on all state-changing requests
Rate limiting and throttling

Secrets Management

Encrypted environment variables
Secrets rotation automation
No plaintext secrets in code or logs
Hardware security module integration
Audit logging of all secret access

Compliance & Certifications

SOC 2 Type II

Certified

Independent audit of our security controls, availability, and confidentiality. Audited annually by a third-party firm.

ISO 27001

In Progress

Information Security Management System (ISMS) certification for comprehensive security management.

GDPR Compliance

Compliant

Full compliance with EU General Data Protection Regulation. EU data residency, data subject rights, breach notification.

PCI DSS

Level 1 Service Provider

Payment Card Industry Data Security Standard compliance for secure payment processing.

Monitoring & Incident Response

24/7 Monitoring

Continuous security monitoring with automated alerting for anomalies.

Threat Intelligence

Integration with threat intelligence feeds for proactive protection.

Log Retention

12-month retention of security logs with tamper-proof storage.

Incident Response Timeline

< 1 hour
Detection & Triage

Automated alerts trigger immediate investigation by on-call security team.

< 4 hours
Containment

Affected systems isolated, impact assessed, containment measures deployed.

< 72 hours
Notification

Affected customers and supervisory authorities notified per GDPR requirements.

Vulnerability Disclosure

We welcome security researchers to report vulnerabilities in a responsible manner. If you discover a security issue, please report it to us privately so we can address it promptly.

How to Report

We commit to: Acknowledging reports within 48 hours, providing regular updates on remediation progress, and not taking legal action against researchers who follow responsible disclosure practices.

Contact Our Security Team

Security Inquiries

For general security questions or to request security documentation:

security@obtura.dev

Compliance & DPA

For Data Processing Agreements and compliance inquiries:

dpo@obtura.dev

Related Resources

Privacy PolicyGDPR ComplianceTerms of ServiceCookie Policy