TRUST CENTER
Security and compliance
trust, documented
Security and data protection practices used in ITEON products. Same principles we apply when contributing to banking, insurance and public sector projects.
Live system status
We monitor availability of all services in real time. Historic incidents, planned maintenance windows and uptime metrics are publicly available.
Security architecture
How we protect your data
Encryption
TLS 1.2+ for external traffic (Cloudflare + Azure). Encryption at rest provided by Azure managed services (disk encryption, PostgreSQL Flexible Server encryption at rest). User passwords hashed with Argon2id using OWASP 2025 parameters. Per-user Data Encryption Keys for sensitive fields with a crypto-shredding option in the account deletion flow.
Azure networking
API and Redis run in Azure Container Apps (Poland Central, internal traffic). PostgreSQL Flexible Server (Poland Central) accessible via allowlisted IPs. Static Web Apps (West Europe) serve the frontend. All traffic terminates at Cloudflare TLS + WAF.
Audit trail
Security-relevant events (login, authorization, sensitive-data access) sent to Azure Log Analytics. Default workspace retention: 30 days. Each event carries a W3C Trace Context traceId visible in Sentry and application logs.
Self-service GDPR
Users delete their account and export data themselves: DELETE /users/me/account (30-day grace period per GDPR Art. 17) and GET /users/me/data-export (job-based export per GDPR Art. 20). No manual steps on our side beyond support requests.
Application-level Zero Trust
Input validation at every layer (Zod in API, Zod/FluentValidation in clients). DPoP (RFC 9449) for authenticated MCP endpoints. App Attestation for the mobile app (DeviceCheck on iOS, Play Integrity on Android). Refresh token rotation with reuse detection.
Error sanitization
Technical logs carry the full stacktrace for engineering. User-facing messages are clean and never expose internal architecture. Sentry configured with PII scrubbing (defaultPii, viewHierarchy and screenshots disabled).
Subprocessors
Data subprocessors
List of vendors (subprocessors) we use to deliver services. Each vendor has its own processing terms (DPA / SCC). We update this list whenever the technology stack changes.
| Vendor | Purpose | Data location | Legal basis |
|---|---|---|---|
| Microsoft Azure | API hosting (Container Apps), PostgreSQL, Redis cache, frontend (Static Web Apps), logs (Log Analytics) | Poland Central (API, database, cache), West Europe (frontend hosting) | Microsoft Online Services DPA + EU Data Boundary |
| Microsoft Entra External ID | Identity provider (Microsoft work account sign-in, OIDC for web and mobile) | Microsoft EU data residency | Microsoft Online Services DPA |
| Cloudflare, Inc. | DNS, CDN, WAF, Workers (MCP marketing endpoint mcp.iteon.pl) | Global network with EU edge preference | Cloudflare DPA + EU SCC |
| Stripe Payments Europe Ltd. | Payments processor (gateway, billing), used for paid services | Ireland (EU) with global subprocessors | Stripe DPA + EU SCC |
| Resend | Transactional email delivery (signup, verification, notifications) | European Union (AWS eu-west-1) | Resend DPA |
| Twilio Ireland Ltd. | SMS verification (one-time code during onboarding, opt-in) | Ireland (EU) with global subprocessors | Twilio DPA + EU SCC |
| Anthropic, PBC | Claude LLM (chat AI, text analysis), opt-in AI features | USA | Anthropic Commercial Terms + SCC; no training on customer data |
| OpenAI Ireland Ltd. | GPT LLM (chat AI, embeddings), opt-in AI features | USA with EU Data Residency available for selected models | OpenAI Business DPA + SCC; no training on customer data |
| Sentry | Application error monitoring (frontend, API, mobile) | Determined by DSN configuration; details in privacy policy | Sentry DPA |
| PostHog Inc. | Product analytics (product events, feature flags), EU cloud | Frankfurt (PostHog EU Cloud, eu.i.posthog.com) | PostHog DPA + EU Data Residency |
| Microsoft Clarity | Behavioural analytics (heatmaps, session replays), opt-in via consent banner | USA (Microsoft Azure US). EU customers contract with Microsoft Ireland Operations Ltd. (MIOL); transfers to USA covered by SCC. Microsoft does not offer EU data residency for Clarity. | Microsoft Online Services DPA + SCC (MIOL Ireland to USA) |
| Google LLC | Google Sign-In and Google One Tap (Google account login), opt-in | USA / Google global network | Google Data Processing Terms + SCC |
| Apple Inc. | Sign in with Apple (Apple ID login), opt-in | USA | Apple Sign in with Apple privacy framework |
Security testing
Scans and code analysis
Security is a continuous practice. Every PR passes automated dependency scans and static analysis before merge to production.
Automated dependency scanning
Dependabot in CI/CD. Every PR is checked for CVEs in dependencies. Critical vulnerabilities block merge.
Static analysis (lint + security)
ESLint with security plugin and TypeScript strict mode. Lint blockers before merge.
Responsible disclosure
Report a vulnerability, Responsible Disclosure
If you found a vulnerability in our systems, we ask for responsible disclosure. We appreciate the security community and aim to respond within 24-72h. Program operates without monetary rewards, with public acknowledgement.
Contact email
security@iteon.plPGP key
Available on request
Program scope
- iteon.pl and all *.iteon.pl subdomains
- ITEON mobile app (iOS, Android)
- Public API: api.iteon.pl
- MCP DCR endpoint: /.well-known/mcp/*
Out of scope
- DDoS attacks and social engineering
- Spam, phishing targeting our clients' users
- Vulnerabilities in third-party dependencies outside our control
- Self-XSS without impact on other users
Acknowledgement
- Hall of Fame on the website with public credit
- Name credit in the changelog after the fix ships
- Possible professional reference after coordination
- Program operates non-paid (no monetary payouts)
Enterprise project experience
Enterprise projects we have contributed to
As ITEON.PL (sole proprietorship, since 2009) we have contributed to projects for the following organisations. In most cases ITEON.PL acted as a subcontractor inside teams led by primary system integrators, not as the prime contractor.
PKO Bank Polski
2023-2025
Generali
2025
Compensa Vienna Insurance Group
2021-2023
Compensa Vienna Insurance Group
2025
Polish Security Printing Works (PWPW)
2015-2016
Bank Guarantee Fund (BFG)
2015-2018
Digital Care Group (bolttech)
2018-2019
WSBS Wysocki Bogdanski
2013-2015
Have a problem that's holding your business back?
Let's talk specifics. No jargon, no obligations. Let's see if and how technology can help your business grow.