Security
Security is foundational to a messaging platform. This page describes how Servus protects data, runs its infrastructure, and responds to issues.
Last updated 15 June 2026
Our security philosophy
Servus carries sensitive business communications, so we treat security as a core feature, not an add-on. We design for defense in depth, least privilege, and safe defaults, and we build with the assumption that any single control can fail.
We continuously improve our posture as the platform grows. Where a control is still maturing, we say so plainly rather than overstate.
Encryption in transit and at rest
All traffic between you, your recipients' channels, and Servus is encrypted in transit using TLS 1.2 or higher. Sensitive secrets at rest — including channel credentials such as access tokens and API keys — are encrypted using AES-256-GCM. Database storage and backups are encrypted at rest.
Customer passwords are stored using strong, salted, one-way hashing and are never recoverable in plaintext.
EU infrastructure and tenant isolation
Servus runs on EU-based infrastructure to support data residency within the European Union. Each customer is a separate tenant, and the platform enforces strict tenant isolation so that one customer's data and messages are never accessible to another. Authorization checks fail closed: when isolation cannot be verified, access is denied.
Containerized services run with bounded privileges and are separated by environment and function.
Access control, secrets, and network controls
Access to production systems follows least privilege and is granted to a small number of authorized engineers on a need-to-know basis, with strong authentication. We log administrative access and review permissions regularly.
Secrets are managed outside source code, scoped narrowly, and rotated when warranted. Network controls restrict exposure: internal services bind to private interfaces, public entry points are limited and protected, and we segment traffic between components.
Monitoring, logging, and alerting
We collect application and infrastructure logs and monitor for errors, anomalies, and signs of abuse. Critical events generate alerts so the team can respond quickly. Logs are retained for a limited, defined period and protected against tampering.
We tune detection over time to catch real issues without drowning the signal in noise.
Vulnerability management and responsible disclosure
We keep dependencies and base images patched, scan for known vulnerabilities, and remediate based on severity and exposure. Security is part of our development process, including code review for sensitive changes.
If you discover a vulnerability, please report it responsibly to [email protected]. Give us a reasonable opportunity to investigate and fix the issue before public disclosure, and we will acknowledge your report and keep you informed.
Backups, resilience, and business continuity
We take regular, encrypted backups and periodically test restoration so we can recover from data loss. The platform is built for resilience, with durable queuing of outbound messages so that transient failures are retried rather than dropped.
We maintain business-continuity practices to keep the service available and to recover within defined objectives after disruption.
Compliance posture and how to report a concern
Servus is built to be GDPR-aligned, with EU data residency, a Data Processing Agreement, Standard Contractual Clauses for any transfers, and data-subject-rights support. We are working toward formal certifications such as SOC 2 and ISO 27001; we do not currently claim to hold those certifications, and we will update this page as our program matures.
To report a security concern or request more detail about our controls, contact [email protected].