Konforme Security Last updated April 2026

How we protect your data.

Security at Konforme.

As a compliance platform, we hold ourselves to the same standards we help our customers achieve. All data is processed and stored within the European Union. We follow privacy-by-design principles, encrypt all data at rest and in transit, and maintain strict access controls. This page describes our security practices in detail.

i. Infrastructure & hosting.
EU-only hosting
All infrastructure runs in AWS eu-west-1 (Ireland). No data is transferred to or processed in non-EU jurisdictions. Our database, application servers, and email services all reside within the EU.
Encryption at rest
All data stored in our PostgreSQL database is encrypted at rest using AES-256. Cloud credentials provided by users are additionally encrypted before storage using application-level encryption.
Encryption in transit
All connections use TLS 1.2 or higher. HSTS is enforced with a one-year max-age including subdomains. We use modern cipher suites and regularly update our TLS configuration.
Network security
Our application runs in a private VPC with strict security group rules. The database is not publicly accessible. All administrative access requires VPN and MFA.
ii. Application security.
Authentication
JWT-based authentication with cryptographically secure tokens (secrets.token_urlsafe). Email verification required for all accounts. Password hashing uses bcrypt with per-user salts.
Rate limiting
All authentication endpoints are rate-limited: login (5/min), registration (3/min), email verification (10/hour), password reset (5/hour). API endpoints have per-user rate limits to prevent abuse.
CSRF protection
Cross-Site Request Forgery protection is enabled on all authenticated endpoints. We use the double-submit cookie pattern with SameSite cookie attributes.
Input validation
All user input is validated and sanitized on the server side using Pydantic schemas. We protect against SQL injection, XSS, and other OWASP Top 10 vulnerabilities.
Security headers
Strict Content Security Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and Permissions-Policy headers on all responses.
Read-only cloud access
When scanning your AWS or Azure infrastructure, Konforme uses read-only credentials. We never modify your cloud resources. Credentials are encrypted at rest and can be revoked at any time.
iii. Data protection & GDPR.

Konforme is designed to be GDPR compliant from the ground up. We collect only the data necessary to provide our service. User data is never sold to third parties. Account deletion permanently removes all associated data including scan results, assessment answers, and credentials.

Practice Detail
Data minimisation We collect only what’s needed for compliance assessment. No tracking pixels, no third-party analytics.
Right to erasure Account deletion removes all user data. Cloud credentials are cleared immediately on account soft-delete.
Data portability Export your compliance data as PDF reports at any time. Assessment data can be exported on request.
Sub-processors AWS (hosting), Netlify (marketing site), SES (transactional email). All EU-based processing.
Breach notification In the event of a data breach, affected users will be notified within 72 hours per GDPR requirements.
iv. Responsible disclosure.

If you discover a security vulnerability in Konforme, please report it to konform@konforme.io. We take all reports seriously and will respond within 48 hours. We ask that you give us reasonable time to address the issue before any public disclosure.