Where is my data stored?

EU by default — Frankfurt region on Fly.io. Encryption at rest (AES-256), TLS 1.3 in transit. Enterprise customers can pin to a specific region (US, EU, APAC) or run fully self-hosted including air-gapped deployments.

Are you SOC 2 / GDPR compliant?

GDPR-compliant by design (EU residency, DPA available under Article 28). SOC 2 Type II audit is in progress. ISO 27001 alignment with regular independent audits. Pre-launch — public certification dates land when the next audit cycle completes.

Who has access to my data?

Only members of your workspace. Internal access for support / debugging is logged, scoped to specific incidents, and requires written customer consent. We never use customer data to train AI models. Sub-processors are listed in the DPA.

What happens if I delete my account?

Workspace data (dashboards, widgets, integrations, members) is permanently deleted within 30 days. Backups roll off after 90 days. Audit log retention can be extended on Enterprise. We provide a full data export via GraphQL before deletion.

Your data security is our priority

Enterprise-grade encryption, compliance certifications, and transparent security practices protect your data at every level.

Last updated June 2026 · By Widgets PRO Team

Encryption at Rest

All data encrypted with AES-256. Database, backups, and file storage — everything encrypted.

Encryption in Transit

TLS 1.3 for all connections. Certificate pinning on mobile apps.

EU Data Residency

All data stored and processed in EU-based data centers. No transatlantic transfers.

SOC 2 Type II

Annual SOC 2 audit covering security, availability, and confidentiality.

Penetration Testing

Regular third-party penetration tests with published summary reports.

Bug Bounty

Responsible disclosure program with rewards for security researchers.

Security architecture

Defense in depth across every layer — network isolation, least-privilege access, automated threat detection, and incident response procedures tested quarterly.

Network segmentation and isolation
Principle of least privilege
Automated threat detection
Quarterly incident response drills

Compliance

We maintain compliance with major regulatory frameworks and undergo regular independent audits to verify our security posture.

GDPR compliant
SOC 2 Type II certified
ISO 27001 aligned
Regular independent audits

Frequently asked questions

EU by default — Frankfurt region on Fly.io. Encryption at rest (AES-256), TLS 1.3 in transit. Enterprise customers can pin to a specific region (US, EU, APAC) or run fully self-hosted including air-gapped deployments.
GDPR-compliant by design (EU residency, DPA available under Article 28). SOC 2 Type II audit is in progress. ISO 27001 alignment with regular independent audits. Pre-launch — public certification dates land when the next audit cycle completes.
Only members of your workspace. Internal access for support / debugging is logged, scoped to specific incidents, and requires written customer consent. We never use customer data to train AI models. Sub-processors are listed in the DPA.
Workspace data (dashboards, widgets, integrations, members) is permanently deleted within 30 days. Backups roll off after 90 days. Audit log retention can be extended on Enterprise. We provide a full data export via GraphQL before deletion.

Read our security whitepaper

Download PDF