Security & Trust

Our security commitment

We treat security as a continuous engineering practice, not a one-off audit. Our principles are: minimise the data we collect, encrypt everything in transit, control who can access what, log meaningful events, and patch dependencies on a regular cadence. We do not sell personal data and we do not train external AI providers on your content.

Infrastructure and hosting

ImmoStory runs on EU-based dedicated infrastructure, with production database, application servers, and object storage hosted in EU data centres. We use container-based deployments behind a reverse proxy with TLS termination. Production, staging, and development environments are separated with independent credentials and no shared secrets.

Encryption in transit and at rest

All traffic to and from the platform uses TLS 1.2 or higher with modern cipher suites. Passwords are stored using bcrypt with a strong work factor. Application secrets are kept outside the code repository and rotated when team membership changes. Database backups are encrypted at rest and rotated on a 30-day cycle.

Access control and authentication

Access to production data is restricted to a small number of named engineers, gated by SSH keys, IP allowlisting, and multi-factor authentication. Customer accounts support strong passwords; we hash credentials and do not store recoverable plaintext. JWT sessions expire on inactivity and can be revoked by the user from the account settings.

Monitoring and audit logging

Application, billing, and authentication events are logged centrally with retention limited to operational needs. Errors are captured in real time so the team can react to regressions and abuse patterns. Suspicious behaviour automatically rate-limits offending sessions.

Incident response

We maintain an internal incident-response runbook covering detection, containment, eradication, recovery, and post-mortem. When a confirmed personal-data breach is likely to result in a risk to user rights, we notify the relevant supervisory authority within 72 hours in line with GDPR Article 33, and inform affected users without undue delay where the risk is high.

GDPR and data protection

We are based in the EU and process customer data under the General Data Protection Regulation. Our Privacy Policy documents lawful bases, data categories, retention, subprocessors, and your data-subject rights. International transfers rely on Standard Contractual Clauses or equivalent safeguards. A Data Processing Agreement is available on request for business customers.

Responsible disclosure

If you believe you have found a security issue in ImmoStory, please report it privately to [email protected] before disclosing it publicly. We aim to acknowledge reports within two business days and to coordinate a fix without legal action against good-faith researchers who respect user privacy and do not disrupt our services.

Subprocessors

We rely on a limited set of vetted subprocessors to operate the platform. Provider locations indicate where data is primarily processed. When data leaves the EEA, transfers rely on the European Commission's Standard Contractual Clauses or equivalent safeguards offered by the provider.

This list is updated when material changes occur. For Data Processing Agreement copies or further detail, contact [email protected].