Security & Trust Hub

We build ShieldShed to the same standards we help our customers meet.

Application & code security

Every repository is continuously scanned for vulnerable dependencies and leaked secrets with Trivy (open source) in our CI pipeline — on every change and on a daily schedule — with findings tracked to resolution.

  • Dependency (SCA) and secret scanning on every pull request and daily
  • Mandatory code review, linting, type-checking and automated tests before merge
  • Security headers on every response: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and CSP

Security incident history

No security incidents have been reported to date.

Reliability & uptime

Our services are monitored around the clock by an independent, external provider. See live status and history on our public status page.

Encryption & access control

  • All traffic encrypted in transit with TLS 1.2+ and HSTS
  • Sensitive OAuth tokens (Microsoft Entra ID) encrypted at rest with AES-256-GCM
  • Strict multi-tenant isolation — every data query is scoped to your organization
  • JWT-based authentication with an enforced password policy

Data residency & hosting

All service data is stored in the European Union — Microsoft Azure, West Europe region (Netherlands).

SubprocessorPurposeRegion
Microsoft AzureCloud hosting & databaseEU — West Europe (Netherlands)
StripePayment processingEU / US (SCCs)
Microsoft GraphTransactional email & Entra ID integrationEU
Google AnalyticsWebsite analytics (consent-gated)US (EU-US DPF)
Számlázz.huInvoicingEU — Hungary
CookiebotCookie consent managementEU

Privacy & GDPR

  • Self-service data export and account deletion (with a 30-day grace period)
  • Right to restrict processing, honoured across all data endpoints
  • Full audit log of account and data activity
  • Data Processing Agreement (DPA) available on request
  • Cookie consent managed via Cookiebot

See our Privacy Policy for full detail.

Independent verification

Responsible disclosure

Found a security issue? We appreciate responsible disclosure. Email security@shieldshed.com — see our security.txt. We aim to acknowledge reports promptly.