Security & Trust Center

Last Updated: January 5, 2025

Our Commitment: At Stampier, security and data protection are fundamental to everything we do. We implement industry-leading security practices and comply with international data protection regulations to keep your business and customer data safe.

Security at a Glance

EU Data Residency

All data stored in Helsinki, Finland (EU) for GDPR compliance

End-to-End Encryption

TLS 1.3 for data in transit, AES-256 for data at rest

GDPR Compliant

Full compliance with EU GDPR, UK GDPR, and international privacy laws

1 Data Protection & Privacy

EU Data Residency

All personal data processed through Stampier is stored and hosted in Helsinki, Finland, within the European Union. This ensures:

  • Full compliance with GDPR data localization requirements
  • No routine transfers to third countries (except limited sub-processors)
  • Protection under EU data protection laws
  • Reduced latency for European customers

GDPR Compliance Framework

Implemented Controls:

  • ✅ Data Processing Agreement (DPA)
  • ✅ EU Standard Contractual Clauses
  • ✅ UK International Data Transfer Addendum
  • ✅ Data Protection Impact Assessments
  • ✅ Records of Processing Activities
  • ✅ 72-hour breach notification procedure

Data Subject Rights:

  • ✅ Right to Access
  • ✅ Right to Rectification
  • ✅ Right to Erasure ("Right to be Forgotten")
  • ✅ Right to Data Portability
  • ✅ Right to Restrict Processing
  • ✅ Right to Object

See our Privacy Policy and Data Processing Agreement for full details.

Data Protection Officer (DPO)

We have designated a Data Protection Officer to oversee GDPR compliance and handle privacy-related inquiries.

Contact DPO: dpo@stampier.co

2 Technical Security Measures

Encryption

Data in Transit:

  • 🔒 TLS 1.3 - Latest Transport Layer Security protocol
  • 🔒 HSTS - HTTP Strict Transport Security enforced
  • 🔒 Perfect Forward Secrecy - Protects past sessions
  • 🔒 Strong Cipher Suites - AES-256-GCM only

Data at Rest:

  • 🔒 AES-256 Encryption - Military-grade encryption
  • 🔒 Database Encryption - All database volumes encrypted
  • 🔒 Encrypted Backups - Automated encrypted backups
  • 🔒 Key Management - Secure key rotation and storage

Access Controls & Authentication

  • 🔑 Role-Based Access Control (RBAC)
  • 🔑 Multi-Factor Authentication (MFA)
  • 🔑 Principle of Least Privilege
  • 🔑 Regular Access Reviews
  • 🔑 Session Management - Automatic timeout
  • 🔑 Password Requirements - Strong policies enforced
  • 🔑 Account Lockout - Brute force protection
  • 🔑 Audit Logging - All access logged

Network Security

  • 🛡️ Web Application Firewall (WAF)
  • 🛡️ DDoS Protection
  • 🛡️ Intrusion Detection System (IDS)
  • 🛡️ Network Segmentation
  • 🛡️ VPN Access - For internal systems
  • 🛡️ Rate Limiting - API abuse prevention
  • 🛡️ IP Whitelisting - Optional for businesses
  • 🛡️ Security Groups - Firewall rules

Application Security

  • Input Validation - All user input sanitized
  • Output Encoding - XSS prevention
  • CSRF Protection - Token-based validation
  • SQL Injection Prevention - Parameterized queries
  • Secure Headers - CSP, X-Frame-Options, etc.
  • Dependency Scanning - Automated vulnerability checks
  • Code Reviews - Security-focused reviews
  • Static Analysis - Automated security scanning

3 Infrastructure & Hosting Security

Secure Hosting Infrastructure

Our infrastructure is hosted in tier-certified data centers in Helsinki, Finland (EU).

Physical Security:

  • 🏢 24/7 security personnel
  • 🏢 Biometric access controls
  • 🏢 CCTV surveillance
  • 🏢 Environmental controls (fire, flood)

Infrastructure Security:

  • 🖥️ Redundant power supply (N+1)
  • 🖥️ Multiple internet uplinks
  • 🖥️ Automated failover systems
  • 🖥️ 99.9% uptime SLA

Backup & Disaster Recovery

  • 💾 Automated Backups: Daily encrypted backups of all data
  • 💾 Geo-Redundant Storage: Backups replicated across multiple EU locations
  • 💾 Retention Policy: 30-day backup retention
  • 💾 Disaster Recovery Plan: Tested quarterly, <4 hour RTO target
  • 💾 Point-in-Time Recovery: Restore to any point within retention period

Monitoring & Logging

  • 📊 24/7 System Monitoring: Real-time infrastructure and application monitoring
  • 📊 Security Event Logging: All security-relevant events logged and retained for 1 year
  • 📊 Anomaly Detection: Automated alerts for suspicious activity
  • 📊 Audit Trails: Complete audit logs for compliance and forensics
  • 📊 Incident Response: 24/7 on-call security team

4 Organizational Security Measures

Security Training

  • 📚 Annual security awareness training
  • 📚 GDPR and data protection training
  • 📚 Secure coding practices
  • 📚 Phishing awareness drills
  • 📚 Incident response training

Security Policies

  • 📄 Information Security Policy
  • 📄 Acceptable Use Policy
  • 📄 Incident Response Plan
  • 📄 Business Continuity Plan
  • 📄 Vendor Security Requirements

Incident Response & Breach Notification

We have a documented incident response plan that ensures rapid detection, containment, and recovery from security incidents.

72-Hour GDPR Breach Response:

  1. Detection (Hour 0): Security systems detect potential breach
  2. Assessment (Hours 0-4): Determine scope and severity
  3. Containment (Hours 4-8): Stop the breach, secure systems
  4. Customer Notification (Hour 24): Notify affected businesses
  5. Authority Notification (Hour 72): Report to supervisory authority (Finland DPA)
  6. Data Subject Notification: If high risk, notify individuals without delay

Report Security Issues: security@stampier.co

5 Security Testing & Compliance

Security Testing Program

  • 🔍 Penetration Testing: Annual third-party penetration testing
  • 🔍 Vulnerability Scanning: Continuous automated vulnerability scans
  • 🔍 Dependency Audits: Weekly checks for vulnerable dependencies
  • 🔍 Security Code Reviews: All code changes reviewed for security issues
  • 🔍 Bug Bounty Program: Planned for launch in Q2 2025

Compliance & Certifications

Current Compliance:

  • GDPR - EU General Data Protection Regulation
  • UK GDPR - UK Data Protection Act 2018
  • ePrivacy Directive - Cookie Law compliance
  • PCI DSS - Via Stripe (payment processor)

In Progress:

  • SOC 2 Type II - Target: Q3 2025
  • ISO 27001 - Target: Q4 2025
  • CCPA Compliance - California privacy
  • PIPEDA - Canadian privacy law

6 Trusted Sub-Processors & Partners

We carefully vet all third-party services that process data on our behalf. Each sub-processor is contractually bound to maintain the same security and privacy standards we uphold.

Service ProviderServiceLocationSecurity
Cloud Hosting ProviderInfrastructure & data storageHelsinki, Finland (EU)ISO 27001, SOC 2 Type II
Stripe, Inc.Payment processingEU (Ireland), USAPCI DSS Level 1, SOC 2, ISO 27001
Email Service ProviderTransactional emailsEU/USAGDPR DPA, encryption in transit

For a complete list of sub-processors and data processing details, see our Data Processing Agreement.

Security Questions or Concerns?

Our security team is here to help. Report vulnerabilities, request security documentation, or ask compliance questions.

Security Team: security@stampier.co

Data Protection Officer: dpo@stampier.co

Compliance Questions: legal@stampier.co

Responsible Disclosure: If you discover a security vulnerability, please report it to security@stampier.co. We commit to acknowledging reports within 24 hours.

Ready to Build Customer Loyalty Securely?

Join businesses that trust Stampier with their customer data. EU-hosted, GDPR-compliant, enterprise-grade security.

Get Started Free Contact Sales