Security
Security & trust, written plainly.
Stedy holds your personal data. Here is how we protect it, who processes it, and how to reach us if you find a problem.
EU data residency
Application and database run in the European Union (Railway, Amsterdam). Analytics are hosted in PostHog's EU cloud. Data never leaves the EU for primary processing.
Encryption in transit
All traffic is TLS 1.2+. The stedy.app domain is HSTS-preload eligible via the `.app` TLD — browsers refuse HTTP connections outright.
Encryption at rest
Databases and backups are encrypted at rest by our infrastructure providers (Railway, Vercel). API keys are stored as salted hashes, never in plaintext.
Access control
Sign-in is Google OAuth only — we never store passwords. Production data access is limited to the founder and logged for audit. API keys use the `stdy_` prefix and can be revoked from Settings.
Subprocessors
Who processes your data
We use a small number of trusted vendors. Each is listed below with purpose, data category, region, and a link to their DPA.
| Provider | Purpose | Data | Region | DPA |
|---|---|---|---|---|
| Google (OAuth) | Authentication (sign-in with Google) | Email, name, Google user ID | Global (SCCs) | View |
| Railway | Application hosting, PostgreSQL database | All user-generated content | EU (Amsterdam) | View |
| Vercel | Marketing site & web app static hosting | IP address, request logs | Global edge (EU-resident origin) | View |
| PostHog | Product analytics & error tracking | Anonymized events, session replay (consent-gated) | EU (Frankfurt) | View |
| Resend | Transactional email (coming soon) | Email address, message content | EU | View |
This list is the full set of processors handling user data. It is updated whenever a subprocessor is added or removed. See our Privacy Policy for details on lawful basis and data retention.
Report a vulnerability
Found a security issue? We accept reports under a responsible-disclosure policy. Details and contact address are published in our RFC 9116 security.txt.
- • Acknowledgement within 72 hours
- • Safe-harbor for good-faith researchers
- • Credit on request
Incident response
If a data breach occurs that affects your personal data, we notify affected users and competent EU supervisory authorities within 72 hours of becoming aware, as required by GDPR Article 33.
- • Direct email to affected accounts
- • Public post-mortem where appropriate
- • Remediation before disclosure where possible