Security

We keep your data
where we can see it.

We take your eshop data and your customers' data seriously. This page describes how we approach security: where our servers run, how we encrypt traffic and sensitive data, and how we stay compliant with the GDPR. We only write about what is actually in place.

The foundation

Dedicated infrastructure in the EU

Behio does not run on shared hosting. We have our own dedicated servers, so we know exactly where your data sits and who can reach it.

Our own servers in Germany

The application runs on dedicated servers at Hetzner in Germany, not on shared hosting where you split performance with unknown sites.

Cloudflare in the EU in front

Traffic passes first through Cloudflare's EU infrastructure, which delivers content fast and protects the platform against attacks.

Storage under EU jurisdiction

We store files and images under European Union jurisdiction, not beyond the reach of European rules.

How we protect data

Encryption at every layer

All traffic between you and the platform goes exclusively over TLS, nothing travels unencrypted. Sensitive data such as API keys and third-party credentials is additionally encrypted at the application level with AES-256-GCM.

GDPR without the asterisks

Our processing of personal data is described in the privacy policy, including the list of sub-processors. You can export your data from the platform at any time, so portability is covered. The data processing agreement is available to download.

Data isolated per organization

Every database query is strictly bound to your organization. Only a user with a role and permission for the data can reach it, nothing more. One organization never sees into another's data.

AI done honestly

AI features run through contracted processors, Anthropic and OpenAI, which you find in the list of sub-processors. We use your eshop data only for tasks you request yourself. Under these providers' terms, API data is not used to train their models.

Responsible vulnerability disclosure

Found a security issue? Write to us at [email protected]. The rules for responsible disclosure are in the /.well-known/security.txt file. We take every report seriously and get back to you.

What we are working on

Security is never finished

We do not want to promise stamps we do not have yet. We would rather tell you plainly what is coming.

Two-factor authentication (2FA)

We are working on 2FA for admin sign-in, so a leaked password alone cannot open the account.

Formal certification

We are considering SOC 2 certification as our enterprise segment grows. Until we have it, we do not claim we do.

A question about security?

Write to us and we will gladly explain how we protect your data. The list of sub-processors and a signed data processing agreement are available on request.