Security

Last updated: January 2025

Transvect is committed to providing a secure platform for our customers. This page outlines the security measures we have implemented to protect your data and our infrastructure.

Infrastructure Security

Data Centers and Hosting

All Transvect infrastructure is hosted within the European Economic Area (EEA) to ensure GDPR compliance:

  • Convex: Self-hosted (Stockholm, Sweden)
  • Fly.io: Stockholm, Sweden
  • Clerk: EU
  • Novu: EU
  • Stripe: Ireland (EU)

All data processing occurs within the EEA, ensuring compliance with GDPR requirements.

Network Security

Fly.io Security

  • DDoS Protection: Fly.io provides DDoS mitigation and protection against distributed denial-of-service attacks
  • Network Security: Secure network configurations and firewall rules
  • SSL/TLS Encryption: Automatic SSL certificate provisioning and renewal for all domains

Convex Security

  • Database Security: Encrypted database connections and data at rest
  • Access Control: Role-based access control and organization-level data isolation
  • Network Security: Secure network configurations for self-hosted deployment

Application Security

Authentication and Authorization

  • Clerk Authentication: Secure authentication and user management via Clerk (EU)
  • Session Management: Secure session cookies with HTTPS-only and SameSite protection
  • Role-Based Access Control: Granular permissions system for different user roles

Rate Limiting

  • API Rate Limiting: 100 requests per minute per IP address for general endpoints
  • API Key Rate Limiting: Configurable rate limits per API key (default: 1000 requests per hour)
  • Authentication Rate Limiting: Protection against brute force attacks

Data Protection

Encryption

  • Data in Transit: All data transmitted over the network is encrypted using TLS 1.2 or higher
  • Data at Rest: Database encryption using industry-standard 256-bit AES encryption (Convex self-hosted)
  • Payment Data: Payment information is processed securely through Stripe Connect (PCI DSS compliant)

Database Security

  • Function-Level Access Control: Database access is controlled through Convex function-level authorization, ensuring users can only access data they're authorized to view
  • Database Isolation: Each database is isolated with unique credentials and access controls
  • Connection Security: Encrypted database connections
  • Backup Encryption: Regular encrypted backups

API Security

  • CORS Protection: Strict CORS policies limiting allowed origins
  • Function Authorization: All Convex functions implement authorization checks to ensure users can only access authorized data
  • Input Validation: All API inputs are validated and sanitized
  • No SQL Injection Risk: Convex uses a type-safe query API that prevents SQL injection attacks

Payment Security

  • Stripe Connect: All payment processing is handled by Stripe (Ireland, EU), a PCI DSS Level 1 compliant payment processor
  • No Card Storage: We do not store credit card information. All payment data is processed directly by Stripe
  • Secure Payment Links: Payment links use Stripe's secure checkout system

Monitoring and Incident Response

  • Logging: Comprehensive logging of security-relevant events
  • Monitoring: Continuous monitoring of system health and security events via Convex and Fly.io
  • Incident Response: Procedures in place to respond to security incidents
  • Data Breach Notification: We will notify affected parties within 48 hours of discovering a data breach, as required by GDPR

Security Best Practices

For Organizations Using Transvect

  • Use strong, unique passwords for your accounts
  • Regularly review API keys and revoke unused ones
  • Keep your organization's user access up to date
  • Report any security concerns immediately to info@transvect.se

For End Customers

  • Use strong passwords if you create an account
  • Be cautious of phishing attempts
  • Report suspicious activity to the organization you're transacting with

Security Updates

We regularly update our dependencies and infrastructure to address security vulnerabilities. Security patches are applied as soon as they become available.

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

Email: info@transvect.se

Please include:

  • Description of the vulnerability
  • Steps to reproduce (if applicable)
  • Potential impact
  • Your contact information

We appreciate responsible disclosure and will work with you to address any security concerns.

Compliance

  • GDPR: Full compliance with the General Data Protection Regulation
  • Data Residency: All data stored and processed within the EEA
  • Privacy: See our Privacy Policy for details on how we handle personal data

Subprocessors

For a complete list of subprocessors and their locations, see our Data Processing Agreement.

Contact

For security-related questions or concerns, please contact us at info@transvect.se.