Security
Last updated: 4 June 2026
Security and data protection are at the core of Optimasoft. We build the platform in the European Union, with data stored in the EU and an approach designed around GDPR from day one. This page describes how we protect your data.
Encryption
- In transit: all data between your device and our servers travels over an encrypted connection (TLS 1.2 and above, HTTPS).
- At rest: stored data and backups are encrypted.
Infrastructure and EU data residency
The platform is hosted on Amazon Web Services (AWS) cloud infrastructure, in a region located in Germany. Data is stored and processed entirely within the European Union and does not leave the EU/EEA.
The underlying AWS infrastructure is certified to leading international information-security standards (including ISO 27001 and SOC 2), and physical data-centre security is provided by the host. Our own processes and controls are designed in line with these standards.
Access control
- role-based access control (RBAC) and least-privilege principle;
- multi-factor authentication for internal and administrative access;
- unique credentials and access logging;
- periodic access-rights reviews.
Data isolation
Optimasoft is a multi-tenant platform with logical separation that ensures one customer's data is not accessible to another.
Backups and continuity
We take regular automated backups, stored encrypted in the EU. We maintain recovery and business-continuity procedures so data can be restored in the event of an incident.
Vulnerability management
- software patch and update management;
- dependency scanning for known vulnerabilities;
- a secure development process with code review;
- separated development, staging and production environments.
Compliance
- GDPR: we process personal data in accordance with Regulation (EU) 2016/679. We offer customers a Data Processing Agreement (DPA) under Art. 28.
- Security standards: our controls are designed around the principles of leading standards (ISO 27001, SOC 2), implemented on certified infrastructure.
Incident response
We maintain a security incident-response process. In the event of a breach affecting personal data, we will notify the competent supervisory authority within 72 hours under Art. 33 GDPR and affected customers without undue delay.
Reporting a vulnerability
If you have found a security vulnerability, please contact us responsibly at:
We commit to reviewing good-faith reports and to not taking action against researchers acting in good faith.
Documentation for enterprise customers
Enterprise customers can request the Data Processing Agreement (DPA), the sub-processor list and additional security information during evaluation. Email us at security@optimasoft.io.