Security and certifications

Built for Swedish procurement

We make security choices that match the guidance from the Swedish data protection authority (IMY), the Schrems II requirements, and what procurement officers actually ask for in RFPs.

Certifications

The infrastructure we use is audited and certified. Spårlös inherits these controls automatically by running only on certified providers.

ISO 27001

Information security

International standard for information security management. The data center Spårlös runs on is ISO 27001-certified.

ISO 27018

Cloud privacy

Protection of personal data in public cloud services. Governs how the provider may handle the customer's data.

SOC 2 Type II

Audited cloud service

Our managed account-data provider is SOC 2 Type II-certified. Security practices are checked by an external auditor over 12 months.

Data flow

This is how an event moves from the visitor's browser to our database. There are no US subprocessors in the data path.

01

Browser to ingest API

Spårlös sends an HTTPS POST with pageview data. No cookies are set. Data transport is TLS 1.3.

02

Ingest API (EU)

The IP address is used in memory for a country lookup via a local geo database, then the IP is dropped immediately. The visitor hash is computed and includes a daily salt.

03

Storage in the EU

The anonymized event is written to our event database in an ISO 27001-certified EU data center. Account data is stored separately in a SOC 2-certified managed database in the EU.

Security practices

  • All data is stored in the EU. No US subprocessors in the data path.
  • TLS 1.3 between the tracker and the ingest API. HTTPS enforced via HSTS.
  • Passwords are hashed with bcrypt (12 rounds) before storage.
  • The session token is 256-bit cryptographically random. HttpOnly cookie. SameSite=Lax.
  • IP addresses are never persisted. Only an in-memory country lookup.
  • A daily-rotating visitor hash makes cross-day tracking impossible.
  • A site-isolated visitor hash makes cross-site tracking impossible.
  • Daily backup of both account data and event data to an EU-based backup provider.
  • Security.txt under /.well-known/ with a security-researcher contact.
  • Security incident routines per GDPR Art. 33 (72-hour notification).

Report a vulnerability

We value security researchers. If you find an issue, email [email protected] or read our security.txt. We respond within 48 hours and keep you informed throughout the entire remediation process. We do not publish a bug bounty policy yet, but honest and cooperative disclosure is always rewarded.

Procurement-ready today

We provide a DPA, an SLA on request and documented security practices. Request an RFP-response template in the contact form.

Security and certifications | Spårlös