Trust & Legal
NLEN
Draft. These texts are a first, well-founded version and must be legally reviewed before final use. Fields highlighted in yellow still need to be completed or verified.

Security

Ruimtemeesters Last updated: 29 June 2026 · Version 2026.06

How we protect data with technical and organisational measures.

1. Our approach

Security is part of how we build and run our services, not an afterthought. We work by the principle of data minimisation and least privilege, and take appropriate technical and organisational measures in line with GDPR art. 32.

2. Hosting and data location

Our applications and databases run on dedicated infrastructure at Hetzner Online GmbH within the European Union (data centres in Germany and Finland). Data therefore stays within the EEA, except for the specific subprocessors listed on our subprocessors page.

3. Encryption

  • Transport: all traffic to our services is encrypted via HTTPS/TLS, with automatically managed, up-to-date certificates.
  • Secrets: keys and passwords are managed encrypted (SOPS) and not stored in source code.
  • Storage: confirm encryption-at-rest per system ‹to complete›.

4. Access and authentication

Access to our applications is via a specialised authentication service (Clerk), supporting strong passwords and multi-factor authentication. Access to production systems is limited to authorised personnel and runs over encrypted connections.

5. Monitoring and backups

  • Error monitoring: we use a self-hosted monitoring solution (GlitchTip) on our own infrastructure, so diagnostic data does not flow to a third party.
  • Backups: automated backups of our databases are made daily; recovery procedures are tested periodically — confirm frequency ‹to complete›.
  • Logging: access and error logs are retained for security and problem analysis.

6. Processing by AI

Part of our AI-assisted processing runs on our own servers and does not leave our infrastructure. Where we use external AI services, this is under processing terms and without data being used to train third-party models (confirm per provider ‹to complete›).

7. Data breaches

In the event of a (suspected) data breach we follow a fixed process: identify, contain, assess and — where required — notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and, where applicable, the data subjects.

8. Reporting vulnerabilities

Think you have found a vulnerability? Report it responsibly via welkom@ruimtemeesters.nl. Give us reasonable time to resolve it before disclosing publicly; we appreciate reports and respond as quickly as possible.