Security
Last updated: July 15, 2026
At EquipPanel, security is fundamental to everything we build. As a Germany-based provider, we design our platform to meet the expectations of European businesses — including the technical and organizational requirements of the GDPR (Article 32). This page describes how we protect your data across infrastructure, application, and organizational layers.
For information about how we collect and use your personal information, please see our Privacy Policy. For information about your rights under GDPR, please visit our GDPR Compliance page.
Infrastructure Security
Hosting & Data Centers
EquipPanel is built on enterprise-grade infrastructure with redundancy and high availability:
- Application Hosting: Enterprise cloud hosting with HTTPS, automated deployments, and production monitoring
- Database & Storage: PostgreSQL database, authentication, and encrypted object storage with EU-based infrastructure
- Data Residency: Primary data storage and processing within the European Economic Area (EEA); transfers outside the EEA use appropriate safeguards where applicable
- Content Delivery & Protection: CDN, DDoS mitigation, and bot protection on authentication flows
- Redundancy: Automated backups provided by our infrastructure providers and documented disaster recovery procedures
Network Security
- DDoS Protection: Distributed denial-of-service attack mitigation and rate limiting
- Firewall Protection: Network-level firewalls and intrusion detection at infrastructure providers
- Secure Protocols: All connections use modern Transport Layer Security (TLS) encryption (HTTPS only)
- CSRF Protection: Same-origin validation on mutating API requests to prevent cross-site request forgery
- IP Filtering: Rate limiting and monitoring of suspicious IP addresses and access patterns
Data Encryption
Encryption in Transit
All data transmitted between your device and our servers is encrypted:
- TLS/SSL: Connections use modern Transport Layer Security (TLS) encryption
- HTTPS Only: Web traffic is encrypted and authenticated using HTTPS
- Certificate Management: Automated SSL certificate renewal and management
Encryption at Rest
All data stored in our databases and file storage is encrypted:
- Database Encryption: All databases encrypted at rest using industry-standard encryption
- File Storage: All uploaded files (documents, log attachments, maintenance files, reports, and images) encrypted at rest in isolated company folders
- Backup Encryption: Automated backups are encrypted before storage
- Key Management: Encryption keys are managed by our infrastructure providers using industry-standard practices
Password Security
- Hashing: Passwords are hashed using industry-standard algorithms with salt before storage
- Password Requirements: Minimum length and complexity requirements enforced
- No Plain Text: Passwords are never stored in plain text or transmitted unencrypted
- Session Management: Secure session tokens with expiration and refresh mechanisms
Access Controls
Authentication
- Secure Authentication: Industry-standard authentication with secure token-based session management
- Email Verification: Email verification required for new account creation
- Password Reset: Secure password reset flow with time-limited tokens
Role-Based Access Control (RBAC)
Multi-level access control ensures users only access data they are authorized to view:
- Admin: Full access to all company data, settings, billing, and team management
- Operator: Can create and edit log entries, manage maintenance, and upload documents (limited access)
- Viewer: Read-only access to equipment data and log entries (no modifications)
- Role Enforcement: Server-side and database-level role checks prevent unauthorized access
Data Isolation
Multi-tenant architecture is designed to isolate data between companies:
- Row-Level Security (RLS): PostgreSQL row-level security policies enforce tenant isolation at the database layer
- Query Filtering: Application and database access controls are designed to enforce company-level data isolation
- Storage Isolation: File storage organized by company ID with bucket-level access controls
- API Protection: API endpoints enforce company ownership checks before data access or modification
Security Practices
Input Validation & Sanitization
- Input Sanitization: User input validation and sanitization are applied across forms and API endpoints
- File Validation: File uploads validated for type, size, and content to prevent malicious files
- SQL Injection Prevention: Parameterized queries prevent SQL injection
- XSS Protection: Content Security Policy (CSP) and input sanitization prevent cross-site scripting
- Path Traversal Prevention: File paths validated to prevent directory traversal attacks
Rate Limiting
- API Rate Limiting: Per-user and per-company rate limits prevent abuse and DDoS attacks
- Upload Limits: File upload rate limiting to prevent storage abuse
- Authentication Limits: Login attempt rate limiting to prevent brute force attacks
- Persistent Tracking: Rate limiting tracked persistently for accurate enforcement
Application Security
- Security Headers: HSTS, Content Security Policy (CSP), X-Frame-Options, and X-Content-Type-Options on all responses
- CSRF Protection: Mutation endpoints validate request origin to block cross-site attacks
- Bot Protection: CAPTCHA and bot protection on sign-up and authentication to reduce automated abuse
- Secure Cookies: Session cookies with appropriate security attributes in production
Security Monitoring
- Security Event Logging: Security-relevant events are logged with IP addresses and user agents where applicable
- Anomaly Detection: Automated monitoring for unusual access patterns and security events
- Audit Logging: Security-relevant events and administrative actions are logged
- Automated Monitoring: Automated monitoring and alerting for security events and system health
Regular Security Audits
- Code Reviews: Security-focused review of application changes before deployment
- Dependency Scanning: Automated scanning of dependencies for known vulnerabilities (npm audit)
- Security Assessments: Structured internal security reviews and remediation of identified issues
- Vulnerability Management: Prompt patching of identified security vulnerabilities
Backup & Recovery
Automated Backups
- Regular Backups: Automated backups of all databases and file storage
- Encrypted Backups: All backups encrypted before storage
- Retention Policy: Backups retained according to our retention policy
Disaster Recovery
- Documented Procedures: Defined recovery procedures with responsible contacts
- Provider Backups: Database and storage backups are performed by our infrastructure providers
- Business Continuity: Recovery objectives aligned with service availability requirements
Compliance & Certifications
Technical & Organizational Measures (Art. 32 GDPR)
In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Access control and authentication for all systems that process customer data
- Encryption of personal data in transit and at rest
- Ability to restore availability and access to data through backups
- Procedures for regularly testing and evaluating the effectiveness of security measures
- Incident detection, response, and notification procedures (including 72-hour breach notification where required by law)
- Confidentiality and security awareness as part of our internal practices
Data Processing Agreements (DPAs) are available for business customers. Contact us at [email protected].
GDPR Compliance
EquipPanel is designed to support the requirements of the General Data Protection Regulation (GDPR):
- Service Provider Terms: We use service providers whose terms include data processing provisions under Article 28 GDPR, where applicable
- Data Subject Rights: Support for data access, deletion, portability, and other GDPR rights
- Privacy by Design: Security and privacy considerations built into all features
- Data Minimization: Only collect and process data necessary for service delivery
- Cookie Consent: Granular cookie consent system with user preference management
For more information, see our GDPR Compliance page.
Service Provider Compliance
- Database & Storage Provider: EU-based database, authentication, and storage with provider security certifications where applicable
- Payment Processor: Payments processed by a PCI DSS Level 1 certified payment provider
- Hosting Provider: Application hosting with industry-standard security practices
- CDN & Security Provider: Content delivery, DDoS protection, and bot management
Incident Response
Security Incident Procedures
We have established procedures for detecting, responding to, and notifying users of security incidents:
- Detection: Automated monitoring and alerting for security events
- Response: Defined incident response procedures and responsible contacts
- Containment: Rapid containment procedures to limit impact of security incidents
- Notification: Prompt notification of affected users in case of data breaches (within 72 hours as required by GDPR)
- Remediation: Post-incident review and remediation to prevent future incidents
Reporting Security Vulnerabilities
If you discover a security vulnerability, please report it responsibly to [email protected]. We appreciate responsible disclosure and will work with you to address any issues promptly.
Employee & Access Management
Access Controls
- Principle of Least Privilege: Employees only have access to data necessary for their role
- Access Logging: All employee access to customer data is logged and audited
- Regular Access Reviews: Periodic review of employee access rights
Employee Training
- Security Practices: Security and data protection practices are part of our internal operations
- Incident Awareness: Awareness of security incident response procedures
- Code of Conduct: Clear security policies for anyone with access to systems and data
Third-Party Security
We work with trusted third-party service providers who maintain high security standards:
Service Providers
- Database & Storage Provider: PostgreSQL database, authentication, and encrypted file storage with EU-based infrastructure
- Payment Processor: Payment processing and subscription billing via a PCI DSS Level 1 certified payment provider
- Hosting Provider: Application hosting, deployment, and runtime infrastructure
- CDN & Security Provider: Content delivery, DDoS protection, and bot management
- Email Provider: Transactional email for account verification, notifications, and service communications
Data Processing Agreements
We rely on our service providers' data processing terms where personal data is processed on our behalf. Data Processing Agreements (DPAs) with EquipPanel are available to business customers on request.
Security Best Practices for Users
While we implement strong security measures, you also play an important role in keeping your account secure:
- Strong Passwords: Use a unique, strong password for your EquipPanel account
- Account Security: Don't share your account credentials with others
- Role Management: Regularly review team member roles and remove access for former employees
- Secure Networks: Avoid accessing EquipPanel from public or unsecured Wi-Fi networks
- Logout: Log out when using shared or public devices
- Email Security: Be cautious of phishing emails and verify email authenticity
- Software Updates: Keep your browser and operating system up to date
Security Contact
Have questions? Check our FAQ or contact us:
If you have security concerns, questions about our security practices, or need to report a security vulnerability, please contact us:
EquipPanel
Stuttgart, Germany
We take all security reports seriously and will respond promptly. For security vulnerabilities, please include detailed information about the issue and steps to reproduce it.
While we strive to protect your information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we continuously work to improve our security measures.
Security Updates
We continuously improve our security measures and infrastructure. This Security page is updated regularly to reflect our current security practices. We recommend reviewing this page periodically to stay informed about how we protect your data.
Last updated: July 15, 2026