Security

Last updated: 2025-08-27

Transport security

All PODFY properties enforce HTTPS. The app domain (.app) is HSTS-preloaded. We also enable TLS 1.2+ and HTTP/3 on our edge.

Data location & retention

We support EU data residency for product data and allow per-customer retention windows for Proof-of-Delivery (POD) documents.

Access control

Role-based access, per-customer isolation, signed URLs for uploads/downloads, and audit logging for views/downloads.

Compliance

We follow GDPR principles and offer a Data Processing Addendum (DPA) for customers where applicable.

Vulnerability reporting

If you believe you’ve found a security issue, please email [email protected].

• Acknowledgement: within 3 business days.
• Triage/initial assessment: within 7 business days.
• Remediation targets: Critical 7d, High 30d, Medium 90d, Low 180d (guidelines).

For scope, rules of engagement, safe harbor, and credit, see our full policy:

• PODFY Security Policy (SECURITY.md)
• /.well-known/security.txt

Contact

Security contact: [email protected]. We aim to acknowledge within 3 business days.