Digital Serpents
Choose your plan
Legal

Security overview.

Last updated: 19 April 2026

How we handle your data, our infrastructure, and the uncomfortable questions. No certifications we don't hold. No claims we can't back up.

1. Our approach

Security is a product feature. Four principles shape every decision:

  1. Fewer vendors, chosen carefully. Every sub-processor is an attack surface.
  2. Least privilege, everywhere. Everything scoped to the minimum needed to do the job.
  3. Transparency on incidents. Plain-English post-mortems, no boilerplate.
  4. No security theatre. We don't claim certifications we don't hold.

2. Data

In transit: TLS 1.2+ on all traffic, HTTPS enforced on every domain.

At rest: AES-256 encryption on databases and file storage. Separate key management for backups.

In use: data is decrypted to process it; access control protects the process.

Access control: RBAC, mandatory MFA, individually-named accounts, quarterly access reviews, 24-hour access removal on staff departure.

Backups: daily automated backups with point-in-time recovery. Cross-region redundancy. Restoration drills at least quarterly.

3. People & process

Confidentiality agreements with all staff and contractors. Background checks within local law for staff with production access. Security training on onboarding; annual refresher covering current threats (phishing, prompt injection, social engineering). Secure SDLC with mandatory code review on auth, payment, and personal-data changes. Infrastructure-as-code. Staging environment for every change. Secrets in a managed vault. Weekly vulnerability scans. Annual penetration test by an independent third party.

4. Incident response

Documented and rehearsed annually. 5-minute acknowledgement target during active incidents. Plain-English post-mortems published within 7 days for incidents lasting over 15 minutes or affecting more than 10% of customers. 48-hour breach notification to customers as processor; 72-hour notification to supervisory authorities where required.

5. Infrastructure

Hosting: enterprise-grade managed hosting platform with an EU origin region (Frankfurt) and global edge CDN. The hosting provider holds SOC 2 Type 2 and ISO 27001 certifications.

Database: serverless Postgres in the European Union (Frankfurt — eu-central-1). Customer personal data is at rest in the EU. Provider holds SOC 2 Type 2.

Network: WAF and DDoS protection at the edge. Rate limiting on all public endpoints. Private networking between service components where supported.

Observability: centralised logging, automated alerting on anomalies, 24/7 uptime monitoring.

Data residency summary

  • Data at rest: European Union (Frankfurt).
  • Data in transit: TLS-encrypted via global edge CDN.
  • Cross-border processing: payments (US/Ireland) and LLM-assisted features (US) — both under SCCs + UK Addendum.

If you need stricter guarantees, get in touch before signing up. Provider names are on our Sub-processor list.

6. Third parties

A small, carefully-chosen list of sub-processors. Current list: sub-processors. Every sub-processor is bound by a DPA at least as strict as ours. Our LLM provider is contractually prohibited from training on customer data. Payment card data is never stored by us.

7. Compliance

We comply with: data protection law in each market we serve (see Privacy Policy), SCCs for EEA/UK transfers, WCAG 2.2 AA accessibility on customer sites, PCI DSS via our payment-processor relationship.

We don't yet hold: SOC 2 Type 2 or ISO 27001 organisational certifications. Our sub-processors carry those; our company-level wrap does not. We'll pursue certification as customer needs require it. If you require our company-level certification today, we won't satisfy that requirement.

8. Responsible disclosure

Found a vulnerability? Report to security@digitalserpents.com with details. We acknowledge every report within 48 hours. We don't publicly publish until fixed. Rewards at our discretion: $50–$1,000 depending on severity. Safe harbour applies to good-faith research within this policy.

In scope: digitalserpents.com and subdomains, customer dashboard, signup and billing flow, guided brief, LLM-assisted features, platform-level issues on customer sites.

Out of scope: customer-provided content; third-party sub-processor vulnerabilities; social engineering; physical attacks; denial-of-service attacks.

9. When we miss

You hear from us first. Plain-English post-mortems, sent directly to affected customers and published on the blog where appropriate. Breach notification within 48 hours of awareness where personal data is exposed. Post-mortems stay published, dated, and unedited.

10. More detail

Privacy Policy · DPA · Sub-processors · Cookie Policy · Terms of Service

Security contact: security@digitalserpents.com