Sign up
Trust Center

Security is the product.

Sekyr sits in the image path for hundreds of millions of container pulls each month, and we take that seriously. This page is the short version of how we run our own shop: policies, controls, certifications, and the people responsible. Everything here maps to an internal document, available on request or linked below.

Read the Security PolicyContact the Security Team
ISO 27001

ISMS aligned with current standards

GDPR

full compliance for EEA data subjects

OWASP T10

baseline for all software development

< 24 h

incident disclosure commitment

The importance of data security

Confidentiality is non-negotiable.

Sekyr customers hand us metadata about every container they run: image digests, runtime events, policy decisions. Handled badly, that data would describe the inside of your infrastructure more precisely than most penetration tests ever manage.

We protect that information without slowing the platform down. The rest of this page describes how.

Documents & policies

Everything you'd want to read before buying.

We publish what we can, and the rest is one signed NDA away.

Policy

Information & Cyber Security Policy

The overarching policy governing information security, cyber security, and privacy across Sekyr. Every other control links back to it.

Read policy Process

Incident Response Plan

Roles, escalation paths, and recovery procedures for security incidents and data breaches. Aligned with GDPR breach-notification obligations.

Read plan Register

Sub-processor List

Every third party that processes customer data on our behalf, where they operate, and what they do. Updated on material changes.

View list Legal

Data Processing Agreement

Standard DPA used with customers, with the Standard Contractual Clauses appended. Red-line friendly.

Download DPA Attestation

Penetration Test Summary

High-level findings and remediation status from the most recent third-party assessment. Full report under NDA.

Request summary Program

Vulnerability Disclosure Policy

How to report issues, what is in scope, and how we respond. A safe-harbour statement for researchers acting in good faith.

Read disclosure
Controls

What we actually do, day to day.

Safekeeping your data

Data encryption
TLS 1.3 for all traffic in transit. AES-256 at rest. Password material is hashed with argon2id, never reversible.
Backups
Hourly incrementals for core storage, daily fulls for warm storage. Restore tested quarterly on a clean environment.
Key management
Separation of duties between key custodians. Rotation on a fixed schedule; emergency rotation documented and drilled.
Data minimisation
We hold the least data that makes the product work. Retention windows are set per data class and enforced in code.

Application security

OWASP Top 10
All software development aligns with the current OWASP Top 10 and ASVS. Violations fail CI.
Secure updates
Every release passes our security standards gate (SAST, dependency audit, signed artefacts) before promotion.
Patch management
Zero-downtime releases. Critical patches ship within 24 hours of disclosure; non-critical on the weekly cadence.
Code storage & review
All code is reviewed by at least one other engineer before it lands. Version control is the source of truth; mirrors never are.

Identity & access

SAML & SSO
SAML 2.0 SSO available on all customer plans. We use it ourselves for every internal system.
Two-factor authentication
Required on every privileged path. Hardware-backed factors for production access.
Principle of least privilege
Access is granted by role, reviewed quarterly, and revoked the same day an employee changes role or leaves.
Activity log
Every access, change, and configuration event is logged to an append-only store and traceable to an individual.

Infrastructure

Certified hosting
Production runs on Hetzner in Nuremberg, Germany (nbg1). Hetzner is ISO/IEC 27001:2022 certified, BSI C5 Type 2 audited, and classified as a KRITIS operator of critical services under German law.
Storage locations
Data centres selected for environmental and physical-security factors. On-site controls include 24/7 manned entry, CCTV, and intrusion alarms.
Continuity
Deployed across multiple Hetzner availability zones within the Nuremberg region, with automatic failover and traffic steering that tolerates the loss of any single zone.
Backup generators & power
Our hosting provider maintains redundant power and generator capacity to keep operations continuous in a power event.

People & governance

Security Team
A named team accountable for this policy, the ISMS, and the rest of Sekyr's security work.
Security training
All staff complete security and privacy training on joining and annually thereafter. Engineers take additional secure-development training.
Risk-based approach
We optimise risk rather than minimise it. Assessments are integrated with business decisions and run on every material change.
Continuous improvement
Metrics, post-incident reviews, and management review cycles feed back into the ISMS each quarter.
Certified hosting

We build on Hetzner for the same reason we exist: boring, dependable infrastructure.

Sekyr production runs in Hetzner's Nuremberg data centre (nbg1), on EU soil under German law. Hetzner handles the parts of information security that sit below our application:

  • ISO/IEC 27001:2022 certification covering the information security management system, with no Annex A exclusions.
  • BSI C5 Type 2 certification from the German Federal Office for Information Security. Type 2 means the controls have been independently tested over time, not just designed on paper.
  • Classified as a KRITIS operator of critical services under German law, certified in accordance with §8a BSIG.
  • Technical and organisational measures (TOMs) audited on a rolling basis by TÜV Rheinland; the audit protocol is available to us as a data processor.
  • Physical controls at the Nuremberg site: 24/7 manned entry, CCTV, intrusion alarms, and environmental monitoring, with redundant power and generators for continuity.

We map our controls onto Hetzner's where that makes sense, and build the rest ourselves.

Found something?

Report it to the Security Team.

Our Security Team owns the routines below and responds to disclosures around the clock. If you think you've spotted a breach on the Sekyr platform, write to us. Someone will look at it immediately.

Security disclosures

security@sekyr.com

Data protection & privacy

privacy@sekyr.com

GDPR representative for the EEA named in the Security Policy.