Security & Trust Hub
We build ShieldShed to the same standards we help our customers meet.
Application & code security
Every repository is continuously scanned for vulnerable dependencies and leaked secrets with Trivy (open source) in our CI pipeline — on every change and on a daily schedule — with findings tracked to resolution.
- Dependency (SCA) and secret scanning on every pull request and daily
- Mandatory code review, linting, type-checking and automated tests before merge
- Security headers on every response: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and CSP
Security incident history
No security incidents have been reported to date.
Reliability & uptime
Our services are monitored around the clock by an independent, external provider. See live status and history on our public status page.
Encryption & access control
- All traffic encrypted in transit with TLS 1.2+ and HSTS
- Sensitive OAuth tokens (Microsoft Entra ID) encrypted at rest with AES-256-GCM
- Strict multi-tenant isolation — every data query is scoped to your organization
- JWT-based authentication with an enforced password policy
Data residency & hosting
All service data is stored in the European Union — Microsoft Azure, West Europe region (Netherlands).
| Subprocessor | Purpose | Region |
|---|---|---|
| Microsoft Azure | Cloud hosting & database | EU — West Europe (Netherlands) |
| Stripe | Payment processing | EU / US (SCCs) |
| Microsoft Graph | Transactional email & Entra ID integration | EU |
| Google Analytics | Website analytics (consent-gated) | US (EU-US DPF) |
| Számlázz.hu | Invoicing | EU — Hungary |
| Cookiebot | Cookie consent management | EU |
Privacy & GDPR
- Self-service data export and account deletion (with a 30-day grace period)
- Right to restrict processing, honoured across all data endpoints
- Full audit log of account and data activity
- Data Processing Agreement (DPA) available on request
- Cookie consent managed via Cookiebot
See our Privacy Policy for full detail.
Independent verification
Verify our public configuration for yourself:
Responsible disclosure
Found a security issue? We appreciate responsible disclosure. Email security@shieldshed.com — see our security.txt. We aim to acknowledge reports promptly.