Security
Last updated: 9 May 2026 · How we protect your data and listings.
Hosting + data residency
FloorVia infrastructure runs in EU data centres (Hetzner, Falkenstein DE / Helsinki FI). All customer data — accounts, listings, leads, uploads, generated 3D scenes — stays inside the EU. No cross-border transfers.
Encryption
In transitTLS 1.2+ on every public endpoint (Let's Encrypt, auto-renewed). HSTS enforced.
At restPostgreSQL 16 on encrypted block storage (LUKS dm-crypt). Backups encrypted with age before off-site copy.
SecretsStored in 600-perm root-only env files. Never logged. Never committed.
PasswordsNone. Magic-link auth only — no password to leak. JWT cookies, HMAC-SHA256, HTTP-only, Secure, SameSite=Lax.
Access control
- Tier-gated download endpoints (trial = view-only, paid = full export)
- Admin pages restricted to allow-listed email addresses, server-side
- SSH access on private VPN (WireGuard, 10.10.10.0/24) — no public SSH
- UFW firewall + Cloudflare-fronted public ingress
- Per-route rate limiting (10 req/min on form endpoints)
Application security
- Helmet middleware (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- CSRF-safe cookies (SameSite=Lax) + JWT auth
- Input validation at every boundary (zod-style explicit checks)
- Anti-spam math gate on public forms
- File upload type allow-list (JPEG, PNG, WebP, PDF only) + 15 MB cap
- SQL — parameterised queries via pg, no string concatenation
- Secret scanning (Kingfisher) runs weekly; findings trigger WhatsApp alert
Backups + recovery
- Postgres dumps every 24 h at 03:30 CET, 14-day retention
- Asset directory snapshot daily, encrypted, off-site
- Tested restore procedure — RPO 24 h, RTO < 4 h
- PM2 process auto-restart + health-check every 15 min
Monitoring + incident response
- HTTP, DB, SSL expiry, backup freshness all monitored every 15 min
- Failures route to operator WhatsApp within 60 s
- Audit log of all admin actions kept ≥ 12 months
- Critical incidents disclosed to affected users within 72 h per GDPR Art. 33
Payments
Card data never reaches FloorVia servers. All payments are processed by Stripe Payments Europe — PCI-DSS Level 1 certified. We store only Stripe customer + subscription IDs.
Vulnerability reports
Found something? Email security@floorvia.com. We acknowledge within 48 h. No bounty programme yet but we credit researchers who follow responsible disclosure.
Questions?
General: hello@floorvia.com
Security: security@floorvia.com
Data Protection: dpo@floorvia.com