Säkerhet och tillit

Encryption

• All data in transit is protected by TLS 1.2+ (HTTPS enforced, HSTS with 2-year max-age)
• Passwords are hashed using bcrypt with cost factor 12 — never stored in plain text
• Sensitive configuration values (e.g. payment integration keys) are encrypted at rest using AES-256-GCM
• Session tokens are signed using cryptographically secure secrets (NextAuth JWT)
• Two-factor authentication (TOTP) backup codes are stored as SHA-256 hashes

Access Controls

• Role-based access control (RBAC): user, support, and admin roles with strict permission boundaries
• All dashboard routes require an authenticated session — no unauthenticated data access
• Admin portal is completely inaccessible to regular users — enforced at middleware level
• Webhook endpoints verify Stripe signatures before any processing
• Rate limiting applied on authentication and API endpoints to prevent brute-force attacks
• CSRF protection via SameSite cookies and token validation in forms

Infrastructure

• Application and database servers located in the European Union
• Database connections use SSL — no unencrypted PostgreSQL connections accepted
• File uploads are validated for type and size before storage
• Outbound email delivery uses authenticated SMTP (DKIM/SPF recommended)
• Dependency vulnerability scanning on a regular cadence
• Security headers enforced on all responses: CSP, X-Frame-Options, HSTS, X-Content-Type-Options

Monitoring & Incident Response

• All critical errors are logged to a persistent error log with severity levels
• Fatal errors trigger immediate email alerts to the security team
• Stripe webhook events are deduplicated and persisted for replay safety
• Audit logs capture all administrative actions (role changes, deletions, coupon management)
• In the event of a personal data breach, we will notify affected users and relevant EU supervisory authorities within 72 hours as required by GDPR Art. 33

GDPR & Data Rights

• All personal data is processed under GDPR — legal bases documented in our Privacy Policy
• Data is stored and processed within the EU — no transfers to third countries without safeguards
• Users can export all personal data as a structured JSON file at any time
• Users can request permanent account deletion from their account settings
• Invoice records are retained for 7 years per EU accounting regulations; all other data deleted on request
• Newsletter subscriptions include a one-click unsubscribe link in every email

Ansvarsfull rapportering

If you believe you've found a security vulnerability in Arbeitly, please report it responsibly. We ask that you:

• Do not publicly disclose the issue before we have had a chance to fix it
• Do not access, modify, or delete user data during your testing
• Provide a clear description and reproducible steps
• Give us reasonable time to investigate and respond (typically 30 days)