๐ Encryption in transit
All traffic is served exclusively over HTTPS with TLS 1.2+. HSTS is enforced; HTTP requests are auto-redirected. Modern cipher suites only (no SSLv3 / TLS 1.0 / 1.1).
๐๏ธ Encryption at rest
Tenant data is stored on Azure SQL with Transparent Data Encryption (AES-256). Backups and disks are encrypted. Secrets and keys are held in Azure Key Vault โ never in source code.
๐ Password protection
Passwords are never stored in plain text. We use PBKDF2-SHA256 with a 32-byte random salt and 100,000 iterations, verified in constant time to prevent timing attacks.
๐ช๐บ EU data residency
Production data is hosted exclusively in European Union Azure regions. No data leaves the EU. No US-only sub-processors are used for storage or processing.
๐ฅ Tenant isolation
Every customer is a separate tenant. All queries are scoped by TenantId server-side.
JWT tokens carry the tenant claim and are signed with a 256-bit secret.
๐ Audit & transparency
Subscription, user-role and privacy changes are written to an immutable audit trail. Administrators can export the full log in JSON at any time.
๐ก๏ธ Web hardening
Strict Content-Security-Policy, X-Frame-Options: DENY,
X-Content-Type-Options: nosniff, Referrer-Policy and Permissions-Policy are sent on every response.
๐ง Brute-force protection
Login is rate-limited to 6 attempts per minute per IP; the global API limit is 300 req/min per IP. Setup endpoints are even stricter (2 calls / 10 min).
๐ค Your data, your rights
Export, rectification, restriction or deletion of personal data โ fulfilled within GDPR deadlines via a one-click Data Subject Request.
GDPR compliance โ at a glance
APower Flex acts as a data processor on behalf of the customer (the controller). A Data Processing Agreement (DPA) under Art. 28 GDPR is available on request and forms part of the contractual terms.
- Art. 5 Lawfulness, fairness, transparency โ documented data flows.
- Art. 25 Privacy by design & by default โ encryption, minimisation, role-based access.
- Art. 28 Processor obligations โ DPA, sub-processor list, EU-only processing.
- Art. 30 Records of processing โ auditable in the admin module.
- Art. 32 Security of processing โ encryption, pseudonymisation, resilience, regular testing.
- Art. 33 Breach notification โ within 72 hours to the controller (configurable).
- Art. 15โ22 Data subject rights โ Access, Rectification, Erasure, Portability, Restriction, Objection.
Technical specifications
| Transport encryption | TLS 1.2 and TLS 1.3, HSTS preload-ready, automatic HTTP โ HTTPS redirect. |
|---|---|
| Storage encryption | Azure SQL Transparent Data Encryption (AES-256). Encrypted backups. |
| Password hashing | PBKDF2 / HMAC-SHA256, 100,000 iterations, 32-byte random salt per user, fixed-time verification. |
| Authentication | JWT Bearer with 256-bit symmetric key, validated issuer/audience/lifetime, 1-minute clock skew. |
| Secret management | Azure Key Vault via DefaultAzureCredential. No secrets in source or config files. |
| Security headers | CSP (default-src 'self'), X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy. |
| Rate limiting | Login: 6/min/IP ยท Setup-init: 2/10min/IP ยท API: 300/min/IP ยท 429 response with JSON error. |
| Tenant isolation | TenantId enforced server-side in every query. Cross-tenant access denied at the data layer. |
| Hosting region | European Union Azure regions only (e.g., West Europe / North Europe). |
| Backups | Automated, encrypted, geo-redundant within the EU. Tested restore procedures. |
| Logging & audit | Application audit trail for admin / privacy / DSR actions, exportable as JSON. |
Sub-processors
We use a minimal set of carefully selected sub-processors. All process data exclusively in the EU or under approved transfer mechanisms.
- Microsoft Azure โ application hosting, SQL database, Key Vault. EU region.
- Stripe โ payment processing (only billing data, no business records). EU entity.
A full, up-to-date sub-processor list is provided as an annex to the DPA on request.
View the full sub-processor list โ ยท Read the Data Processing Agreement (DPA) โ
Report a security issue
Found a vulnerability? Please contact us privately at security@apowerflex.com. We respond within 2 business days and will keep you informed about remediation. Responsible disclosure is appreciated โ please do not publicly disclose before a fix is available.
PGP A PGP key for encrypted reports is available on request.
Try APower Flex with built-in EU compliance
14-day free trial ยท no credit card required ยท cancel anytime.