belsimple Just right.

Security policy

Version 1.1

Overview

belsimple is operated by Maarnyka BV and hosted entirely in Belgium on managed cloud infrastructure. This document describes the security measures in place to protect your data.

Infrastructure

All data is hosted in Belgium on managed cloud services that provide physical data centre security, network isolation, and DDoS protection. Our infrastructure provider holds ISO 27001 and SOC 2/3 certifications.

Data encryption

  • In transit: all connections use TLS. HTTP traffic is automatically redirected to HTTPS.
  • At rest: all stored data and backups are encrypted using industry-standard encryption (AES-256).

Authentication and access control

  • Passwords are hashed using a modern, memory-hard algorithm resistant to brute-force attacks.
  • Sessions expire automatically after a period of inactivity and are invalidated on password reset or account deactivation.
  • Tenants can configure single sign-on (SSO), delegating authentication to their own identity provider.
  • Role-based access control enforces permissions at the API level.
  • Sensitive endpoints are rate-limited to prevent brute-force attacks.

Multi-tenancy and data isolation

Each tenant’s data is logically isolated at the database level. Every request is scoped to the authenticated user’s tenant. There is no mechanism — by design — for one tenant to access another tenant’s data through the application.

Backups and disaster recovery

Automated daily backups with point-in-time recovery are performed by our managed database service. Backup restoration is tested periodically to verify recoverability.

Secure development practices

  • All dependencies are monitored for known security advisories and updated regularly.
  • Input validation and parameterised queries prevent injection attacks.
  • An append-only audit trail records all state-changing operations.
  • Code is reviewed before deployment.

Incident response

In the event of a security incident affecting customer data:

  1. We will contain and investigate the incident immediately.
  2. Affected tenants will be notified without undue delay, and within 72 hours at most.
  3. The Belgian Data Protection Authority (GBA) will be notified if required under GDPR.
  4. A post-incident report will be provided to affected tenants.

What we do not do

  • We do not store passwords in plaintext or reversible encryption.
  • We do not store data outside of Belgium. Data is served over encrypted connections to users wherever they are located.
  • We do not use your data for purposes other than delivering the service.
  • We do not use analytics, tracking, or advertising services.