Inloggen
Alle juridische documenten

Security Policy

Laatst bijgewerkt: 1 oktober 2025

Security Policy

1. Introduction

Thank u for using Databeamer by Full Join! We value your trust in our software.
In return, we ask you to use our services responsibly.

1.1 Purpose

This Security Policy outlines outlines how we approach security across our
Databeamer platform, infrastructure and development processes. It also provides
clear guidance for external parties wishing to report potential vulnerabilities.

1.2 Our commitment to security

We are committed to protecting the confidentiality, integrity, and availability
of our systems and the data entrusted to us by our users. We follow best
practices in software development, infrastructure hardening, encryption and
access management, appropriate to our size and risk profile.

1.3 Scope

This policy applies to:

  • The Databeamer web application and any (future) related mobile/desktop apps;
  • All software and services under the domain(s) databeamer.io and databeamer.eu;
  • Our API endpoints and hosted infrastructure.

Our comprehensive policy for safeguarding customer data and privacy, including
in relation to supporting services outside the Databeamer platform (such as
ticketing tools), is detailed in our Data Processing
Agreement.

1.4 Data Hosting & Sovereignty

We are committed to full European data residency and jurisdictional independence.

  • Our services are exclusively offered to customers located in the EU, UK, Norway, and Switzerland.
  • We do not rely on U.S.-based infrastructure, tools, or platforms for core operations;
  • All data (including authentication information, user account data, metadata, and transferred content) is hosted entirely within the EU by a European-owned cloud provider;
  • As a result, customer data remains fully governed by European data protection laws and cannot be subject to foreign legislation such as the U.S. CLOUD Act.

By maintaining this level of European control, we ensure that personal data and
transferred files remain within protected jurisdictions, reinforcing our
commitment to data privacy, regulatory compliance, and digital sovereignty.

2. Technical security practices

Our Databeamer service is designed with security and privacy at its core. By
integrating technical safeguards at every level of our architecture, we ensure
that data remains confidential, intact and available, both at rest and in
transit. These measures form the foundation of our technical security strategy.
Together with organizational safeguards and our incident response process, they
ensure that customer data is protected against both internal and external
threats.

2.1 End-to-end encryption (E2EE)

All data traffic between sender and recipient is protected with end-to-end
encryption. This ensures that files and messages are encrypted from the moment
they are sent and can only be decrypted by the intended recipients. As a result,
our organization and development team do not have access to any unencrypted
customer data, guaranteeing maximum privacy and security.

AEAD streaming encryption

During transmission and storage, we use advanced AEAD streaming encryption
(Authenticated Encryption with Associated Data), which ensures both
confidentiality and integrity.

Streaming cypher

We rely on modern Cryptographic techniques such as ChaCha20-Poly1305 in
combination with HKDF-SHA256 for key derivation. This streaming cipher
technology allows us to efficiently and securely encrypt and process arbitrarily
large files without size limitations.

Multi-recipient

Databeamer also supports multiple recipient encryption, enabling one file to be
securely shared with multiple recipients without creating separate encrypted
copies for each.

Data Integrity with Checksum Validation

Data Integrity with checksum validation
To ensure the integrity of files and
messages during transfer Databeamer uses checksum validation. A cryptographic
hash is generated on the sender’s side and verified on the recipient’s side,
confirming that the file or message has not been altered, corrupted, or tampered
with during transit. This mechanism complements our end-to-end encryption (E2EE)
by not only securing the contents from unauthorized access but also ensuring the
content received is exactly what was sent. This validation is performed
automatically and transparently, requiring no user interaction.

2.2 Authentication and authorization

We enforce strict identity and access management measures to ensure that only
authorized users can access our systems and services. All access is governed by
the principles of least privilege and need-to-know, helping to reduce the risk
of data exposure and account compromise.

Mandatory Multi-Factor Authentication (MFA)

MFA is enforced for all Databeamer accounts to strengthen login security.

Role-Based Access Control (RBAC)

Access to data and system functionalities is governed by predefined roles,
ensuring users can only access what is necessary for their responsibilities.

Authentication monitoring

Login attempts are logged and monitored for anomalies such as brute-force
attacks, repeated failed attempts, or access from suspicious IP addresses or
geolocations.

Timely access revocation

Access is revoked immediately upon termination or plan change, and access rights
are reviewed regularly.

2.3 Logging and Monitoring

Continuous monitoring and secure logging are vital components of our operational
security. These practices help us detect abnormal behavior, respond to incidents
quickly, and ensure accountability across our systems.

Centralized logging

All significant system events and user actions are securely logged in a
tamper-resistant, centralized system.

Retention and integrity

Logs are protected from modification and retained for the duration defined in
our internal policies and legal obligations.

Real-time monitoring and alerting

We use automated systems to detect suspicious activity and raise alerts,
enabling swift incident response.

Incident response readiness

All security incidents are handled according to a documented Incident Response
Plan, and partly outlined in our [Data Processing Agreement (DPA)].

2.4 Application security

We follow secure development practices to proactively minimize vulnerabilities
and ensure the robustness of our platform. Our approach is grounded in the
principles of the Secure Software Development Lifecycle (SSDLC).

Automated security scans

Source code is regularly scanned using Static and Dynamic Application Security
Testing (SAST/DAST) tools.

Peer code reviews

All changes are reviewed with a focus on identifying and mitigating OWASP Top 10
risks.

Regular penetration testing

Security assessments are regularly conducted to validate our defenses against
real-world threats.

Input validation and sanitization

All user-provided data is validated and sanitized to protect against injection
attacks such as XSS or SQL injection.

Vulnerability management

Dependencies and libraries are kept up to date, and security patches are applied
promptly as part of our regular update cycle.

These controls are designed to ensure our codebase remains resilient against
both common and emerging threats.

2.5 Network security

We implement robust network-level protections to defend our infrastructure and
maintain the confidentiality and availability of customer data. This layer
complements our infrastructure security controls (see §3.4) and focuses on
isolating environments, restricting access, and protecting against external
threats.

Environment segregation

Production systems are logically separated from development and testing
environments to prevent accidental crossover or data leakage.

Secure access protocols

All infrastructure access is restricted through VPN and SSH connections secured
by key-based authentication.

Firewall protections

Firewalls, Web Application Firewalls (WAF), and additional network filters are
used to block unauthorized access and detect malicious traffic.

Abuse prevention

We enforce rate limiting, monitor for unusual patterns, and implement DDoS
mitigation strategies to ensure service continuity and performance.

2.6 Data minimization and redaction

Due to the end-to-end encrypted (E2EE) nature of the Service, we do not have
access to the content of files or messages transferred between users. This means
we cannot read, monitor, modify, or retain the decrypted contents of any
personal data exchanged through the platform.

In addition to the encrypted customer content, we only collect the minimal data required to operate and support the Service. This includes:

  • Transfer metadata such as timestamps and file sizes, which are necessary for core functionality, diagnostics, and support, as outlined in our Terms of Service;
  • Automatic redaction and anonymization, built into the file transfer logic, to strip or mask sensitive values (e.g., account details, API tokens, or passwords) from any service-level logs or analytics;
  • Session Replay (optional and used only for troubleshooting), where sensitive input fields are automatically masked to protect personal or confidential information during session recording.

These measures ensure that only the strictly necessary data is processed, and
that personal or sensitive information is never exposed unnecessarily, in line
with data minimization principles under the GDPR.

2.7 Backup and recovery

We have implemented backup and recovery practices to safeguard critical service
data and maintain service continuity. Due to the end-to-end encryption (E2EE)
nature of our platform, transferred content (files and messages) is never
included in backups.

  • Service infrastructure and operational data (excluding transferred user content) are backed up daily;
  • Backups are encrypted and stored in a geographically separated, secure location within the EU;
  • Recovery procedures are tested regularly through documented disaster recovery exercises;
  • Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined in line with the platform’s risk profile.

Note: Transferred customer content is not recoverable after deletion or
expiry, by design.

2.8 Retention and deletion

The following retention and deletion practices apply to the use of the
Databeamer Services:

  • Transferred files and messages are retained for a maximum of three (3) days from the time of upload. After this period, the content is automatically and permanently deleted. Only minimal metadata related to the transfer (such as timestamps and file size) may be retained for operational, support, and compliance purposes;
  • Other service-related data (as described in §3.6 Data Minimization and Redaction) is retained only as long as necessary to fulfill business, contractual, or legal obligations;
  • When retention periods expire, data is irreversibly deleted from our systems using industry-standard deletion methods;
    End-to-end encryption (E2EE) ensures that we never store or access decrypted content. As such, once transferred files or messages are deleted or expired, they cannot be recovered or returned;
  • For any non-encrypted data collected in connection with account usage or metadata, customers may request deletion in accordance with applicable data protection laws.

Please refer to our Data Processing Agreement (DPA)
for further guidance.

2.9 Audit and compliance

We regularly evaluate the effectiveness of our security controls and compliance posture through internal and, where relevant, external assessments.

  • Internal audits are conducted to verify adherence to this Security Policy and related controls;
  • Logs of relevant system and user actions are retained to support auditability and accountability (see also §3.3 Logging and Monitoring);
  • Where required, independent audits or third-party assessments (e.g., ISO 27001, SOC 2) may be carried out to validate our practices;
  • Upon request, and where necessary, we may provide supporting technical documentation to assist with customer audit obligations (see also DPA chapter 8 Right to Audit);
  • Compliance with applicable regulations and security standards is monitored continuously.

3. Organisational security practices

Information security is not treated as a standalone responsibility within our
company, but as an integral part of how we operate. Both at a strategic and
operational level, we have clear roles, responsibilities, and processes in place
to safeguard the security of our platform and the data entrusted to us by our
customers.

3.1 Security responsibility

Ultimate responsibility for information security lies with the management.
Day-to-day coordination and oversight of security measures is handled by our
designated Security Officer, who works closely with all team members to embed
security practices throughout our organisation and within the Databeamer
application.

3.2 Policies and governance

We maintain a formal internal Information Security Policy, which is reviewed and
updated periodically. All employees are required to accept and adhere to this
policy as part of their onboarding process.

3.3 Employee Awareness

We invest in ongoing security awareness and training. New employees receive
onboarding training covering our key security principles, procedures, and
behavioral expectations. In addition, we conduct periodic (at least annual)
training sessions to keep knowledge up to date, covering topics such as
phishing, password management, and the secure handling of sensitive data.

3.4 Access Management

Access to systems and data is granted based on the principle of least privilege
and need-to-know. We implement the following controls across critical systems,
including both our Databeamer platform and tools used to support our service
operations (such as billing or analytics):

  • Multi-Factor Authentication (MFA) on all critical systems;
  • Role-Based Access Control (RBAC) to limit access to specific data and functions;
  • Regular reviews of employees access rights and permissions.
  • Former employees' access is revoked immediately upon termination.

3.5 Subprocessors and partners

We take a risk-based approach to working with third-party service providers and
partners. Subprocessors are selected based on their security posture, and where
applicable, we use Data Processing Agreements (DPAs) and conduct security
assessments to ensure compliance with our standards.

Third parties that have access to customer data are subject to vetting and
ongoing evaluation to ensure adherence to appropriate security and privacy
practices. Wherever possible, subprocessors are selected based on their European
presence and ownership structure. Preference is given to providers that are
headquartered in Europe and have no non-European parent companies or investors,
to ensure better alignment with EU data protection principles and sovereignty.

A current list of authorized subprocessors is available upon request. More
information about subprocessors and maintaining privacy is described in our
Data Processing Agreement (DPA).

4. Reporting a vulnerability At Full Join, we take the security of our

Databeamer platform and our users seriously. Despite the care we take to secure
our systems, vulnerabilities can still occur. That’s why we welcome reports from
security researchers, ethical hackers, and others who discover potential
weaknesses in our applications or infrastructure.

This section outlines how you can responsibly report a security vulnerability,
what you can expect from our team in response, the principles of responsible
disclosure we follow, and which types of findings fall outside the scope of our
policy.See also our Acceptable Use Policy.

By working together, we can improve the safety and reliability of our platform
for everyone.

4.1 How to report

We value the contributions of the security community. If you believe you’ve discovered a vulnerability in our systems:

  • Please email us at: security@databeamer.io or preferably;
  • Please use our PGP key for sensitive security reports;
  • Include as much detail as possible (e.g., steps to reproduce, tools used, screenshots);
  • Do not exploit the vulnerability or access user data;
  • Allow us a reasonable time to investigate and respond before disclosing publicly.

4.2. What to expect from us

If you submit a valid vulnerability report, we will:

  • Acknowledge receipt within 5 business days;
  • Provide a status update within 10 business days;
  • Work to remediate the issue as quickly as possible;
  • Not pursue any legal actions or loss of access if you follow the rules;
  • Credit you publicly, if desired (and permitted).

4.3 Responsible disclosure guidelines

We kindly ask that you:

  • Avoid any actions that could cause harm (e.g., data destruction, denial of service, brute-force attacks);
  • Do not access or modify data that isn’t your own;
  • Cooperate with our team as much as possible;
  • Give us time to fix the issue before you share it publicly.

4.4 Exclusions

While we appreciate all efforts to help improve the security of our Databeamer
service, certain types of findings fall outside the scope of our responsible
disclosure program. The following issues are typically considered low-risk,
accepted limitations, or do not represent meaningful security vulnerabilities.
Reports focusing solely on these areas may not receive a response:

  • Spam reports;
  • Outdated browser issues;
  • Social engineering;
  • Lack of SPF/DKIM/DMARC;
  • Clickjacking on non-sensitive pages;
  • Rate-limiting bypass unless demonstrably exploitable.

5. Updates & contact

We may revise this Security Policy from time to time to reflect changes to our
services, or to meet legal and regulatory requirements. We encourage you to
check this page periodically to stay informed.

The “last updated” date at the top of this page shows when this policy was most
recently reviewed.