Security

Our Approach

Incident Manager is designed with security at its core. We apply a defense-in-depth approach across every layer of the application—from authentication and access controls to data encryption and infrastructure monitoring. Our practices are aligned with industry-recognised standards such as ISO 27001 and SOC 2.

Encryption in Transit and at Rest

All data transmitted between users and our servers is encrypted using HTTPS with TLS 1.2 or higher. In addition, our databases and automated backups are encrypted at rest using AES-256 encryption. This protects your data whether it's being transmitted or stored.

Infrastructure and Hosting

Incident Manager is hosted in the Frankfurt region on Render, a secure, cloud-native platform. TLS certificates are automatically provisioned and renewed. Render’s infrastructure also provides built-in support for automatic scaling, access control, and daily backups.

Authentication and Access Control

We use secure authentication mechanisms, including strong password hashing and session management. Access to the application is role-based, with permissions enforced throughout. Administrative actions are audited and monitored. Multi-factor authentication is available on request for enterprise customers.

Backups and Disaster Recovery

Databases are automatically backed up daily. In the event of an incident, these backups can be used to restore service quickly. All backups are encrypted and stored securely in compliance with industry standards.

DDoS and Threat Protection

We employ multiple layers of protection against Distributed Denial of Service (DDoS) attacks and automated abuse. These include geographic IP filtering, rate limiting, and integration with advanced threat mitigation services.

Monitoring and Incident Response

We maintain continuous monitoring of our application and infrastructure, with automated alerts for abnormal activity and critical security events. Any suspicious access attempts, failed logins, or exploit probes are logged and reviewed. Security events trigger real-time email alerts to the system administrator.

Vulnerability Management

Our codebase is continuously monitored for known vulnerabilities in third-party dependencies. Critical patches are applied within 48 hours. We use a combination of automated tools and manual review to enforce secure coding practices throughout our development lifecycle.

Compliance and Best Practices

Our security practices are aligned with international standards including ISO 27001 and SOC 2. We regularly review our controls and update policies to reflect evolving security and compliance requirements. Customer data is never used for advertising or analytics.

Data Privacy and Retention

We provide full data ownership to our customers. Trial data is deleted 30 days after trial expiry if no subscription is started. For paid accounts, all data is deleted 30 days after cancellation unless otherwise agreed. We do not provide post-deletion confirmations.

If you would like more technical detail about our security architecture or need documentation for your IT review process, please contact us.