Skip to main content

Security, audit logs, and data protection

This page answers common procurement and security-review questions about how CVD Portal protects tenant data.

Where is my data hosted?

All platform data lives in the EU. The application and PostgreSQL database run on Hetzner infrastructure in Nuremberg, Germany. Uploaded assets (portal logos) are stored in Hetzner object storage in Falkenstein, Germany. Submission data is not transferred outside the EU/EEA by default. Details are on the Trust page at cvdportal.com/trust.

Is the audit log immutable?

Yes, in a verifiable way. Every state-changing action writes an audit entry that is linked into a per-tenant SHA-256 hash chain. Database-level controls reject any update or deletion of stored entries, and an automated job re-verifies every chain daily and alerts on any break. Tenant administrators cannot alter or delete audit entries.

Retention has two tiers. Operational entries (logins, page views, API calls) are kept for 12 months. Entries forming the CRA Article 14 evidence chain (classification decisions, notifications sent, remediation decisions) are kept permanently.

What happens to my data if I delete my account?

Account deletion is available to company admins under Settings, Account. It is a hard delete under GDPR Article 17. All personal data, submissions, settings, and operational logs are erased. One exception applies. Your CRA Article 14 evidence entries are preserved in pseudonymised form, with personal identifiers removed and email addresses replaced by one-way tokens, so your regulatory compliance record survives the erasure. This is disclosed in the Privacy Policy and the DPA.

Is data encrypted at rest?

Integration credentials such as webhook signing secrets are encrypted at the application layer with AES-256-GCM. Passwords are hashed with bcrypt and API keys are stored as SHA-256 hashes, so neither can be read back. Backup archives are encrypted before leaving the host and the decryption key is held offline. Disk-level volume encryption is on the public roadmap on the Trust page.

Are there backups?

Yes. The database is backed up daily. Archives are encrypted before leaving the primary host and stored off-host, and restore drills are exercised periodically. Enterprise customers can request current RPO/RTO targets and the most recent restore test date under NDA via security@cvdportal.com.

Is there a DPA and a subprocessor list?

Yes. The standard Data Processing Agreement (GDPR Article 28) is published at cvdportal.com/dpa. The authorised subprocessor list, including purpose, data categories, region, and transfer mechanism for each vendor, is maintained at cvdportal.com/trust#subprocessors and forms Annex III of the DPA. Tenants get 30 days' notice before a new subprocessor with material access to submission data is added.