Security

Your data, EU-hosted, encrypted, isolated

Your trade-operations data (customer lists, quotes, orders, L/Cs, call recordings) runs on a GDPR + KVKK-compliant Sighthem infrastructure. This page documents where it lives, how it is protected, and by whom.

1. Data Location & Regulatory Scope

  • Hosting region: Germany (European Union). Production database, file storage, and application servers all reside in the EU.
  • Regulatory framework: GDPR (EU) + KVKK (Turkey). Explicit disclosure on /gizlilik. VERBİS notification structure in place.
  • Data ownership: All workspace data belongs to you. Full export and deletion available on request.
  • Physical security: Data center is monitored 24/7 with physical access control, biometric entry, and CCTV.

2. Traffic & Encryption

  • Browser ↔ server: TLS 1.2+ (TLS 1.3 preferred). HTTPS enforced, HSTS enabled (HTTP requests are 308-redirected to HTTPS).
  • Server ↔ database: TLS over a closed VPC. No public database access.
  • Storage (at rest): AES-256 at-disk encryption. Backups encrypted identically.
  • Certificates: Let's Encrypt + automated 60-day renewal.

3. Identity & Access Management

  • Password storage: One-way hash (bcrypt). No plain-text storage anywhere.
  • Sessions: JWT bearer + global guard (every API call verified). Cookies are HttpOnly + Secure + SameSite=Lax.
  • RBAC: Workspace owner / manager / member roles + per-module feature toggles. Cross-workspace access is blocked at the API layer.
  • Audit log: Sensitive actions (user deletion, role change, record access) are written to an audit log.
  • Sighthem staff access: Staff access to production data requires written request and admin approval, restricted to a scoped support account. Every session is logged.
  • Rate limiting: Per-IP and per-user throttling on all API endpoints. Login, password-reset, and payment endpoints are strictly throttled.

4. Data Isolation (Multi-Tenant)

Sighthem is a multi-tenant SaaS. Each company is a workspace; every query is filtered by workspace ID. Cross-workspace reads are blocked at the application-level guard, data leakage between tenants is impossible.

  • Every table is tenant-scoped by workspace_id
  • API guard verifies workspace match on every request
  • Storage paths (file uploads) are workspace-isolated

5. Payment Information

Card details are never stored on Sighthem. The payment flow tokenizes them through a PCI DSS-compliant third-party payment processor; Sighthem only stores the subscription token reference. Refunds and changes are processed through the same provider.

6. Backups & Disaster Recovery

  • Backup cadence: Hourly incremental + daily full backup.
  • Backup location: In-region (local copy) + an off-site replica in a separate region.
  • Backup encryption: AES-256 (at rest).
  • Restore objective: Full restore within 24 hours of a disaster (RTO = 24h).
  • Data-loss tolerance: Maximum 1 hour of data loss (RPO = 1h).

7. Infrastructure Hardening & DDoS

  • Provider-level hardware DDoS protection enabled
  • Nginx reverse proxy + strict CORS + network restrictions
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
  • Dependency vulnerability scanning (Dependabot-equivalent) enabled
  • Container images are reproducible builds; minimal base (distroless-style)

8. Sub-Processors

Sighthem uses the following third-party services. All sub-processors operate under a signed GDPR Data Processing Agreement (DPA) or equivalent Standard Contractual Clauses (SCC).

  • Cloud server and database hosting
  • PCI DSS-compliant payment tokenization
  • Outbound email delivery infrastructure
  • International voice (WebRTC) carrier
  • SMS OTP delivery
  • Email verification service
  • AI services (for opt-in features)
  • Business email service (sighthem.com mailboxes)

This list is reviewed every six months; changes are announced on /guvenlik.

9. Data Portability & Right to Erasure

  • Full workspace data is exportable as CSV / JSON
  • After cancellation, data is exportable for 30 days
  • After 30 days, all data is permanently deleted (including backups, 90 days total)
  • KVKK and GDPR Article 17 (right to erasure) honored on single request

10. Vulnerability Reporting (Responsible Disclosure)

If you discover a security vulnerability, please email security@sighthem.com before public disclosure. We respond within 72 hours. Valid findings are credited (optional name/company) on a public acknowledgements page.

  • Please limit your testing to workspaces you own
  • No automated scanning / brute force (rate limits are enforced)
  • No denial-of-service or data destruction tests

11. Security FAQ

Where is my data stored?

Customer databases are stored in German EU-region data centers, compliant with GDPR and KVKK. Data may leave Turkey, but it remains within EU regulatory scope.

How is traffic encrypted?

All browser-to-server traffic is encrypted with TLS 1.2+. HTTPS is enforced, HSTS enabled. Database connections also run over TLS within a closed network.

How are passwords stored?

Passwords are stored as one-way cryptographic hashes (bcrypt). Plain text is never stored; nobody, including Sighthem staff, can read your password. Resets use one-time tokens.

Where are my payment details?

Payment details are never stored on Sighthem. A PCI DSS-compliant third-party payment processor tokenizes them; Sighthem keeps only the token reference.

Who can access the data?

Role-based access (RBAC): workspace owner, manager, member roles + per-module toggles. Every access is written to an audit log. Sighthem staff access requires written request and approval, and is limited to a scoped support account.

12. Contact

Vulnerability reportssecurity@sighthem.com
KVKK / data subject requestskvkk@sighthem.com
Generalinfo@sighthem.com

Last updated: 2026-05-20. Policy changes are published with version notes.