How DataPanda protects your data and infrastructure.
At DataPanda, security is a core part of how we build and operate our platform. This page describes our security practices and how to report vulnerabilities responsibly.
DataPanda is hosted on managed cloud infrastructure within the European Union. All data is stored in EU-based data centres. We apply the principle of least privilege across all internal systems and access controls.
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). Data at rest is encrypted using industry-standard AES-256 encryption provided by our infrastructure provider.
User passwords are never stored in plain text. We use bcrypt hashing with a strong cost factor. Sessions are managed via secure, HTTP-only cookies. Access to internal systems is restricted to authorised personnel only, protected by multi-factor authentication.
DataPanda accesses Instagram data only via Meta's official Graph API using OAuth 2.0 access tokens. Tokens are stored encrypted and are only used to retrieve data for the authenticated account owner. We do not access, store, or process private messages or any data beyond what the user explicitly authorises.
All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment provider. DataPanda never receives, processes, or stores card numbers or full payment credentials.
We maintain server-side logs and activity logs for security monitoring, anomaly detection, and incident response. Logs are stored securely and access is restricted to authorised personnel.
We take security reports seriously. If you discover a potential security vulnerability in DataPanda, please report it responsibly:
We request that you follow responsible disclosure practices and do not publicly disclose the vulnerability until we have had an opportunity to address it.
In the event of a data breach that affects personal data, we will notify affected users and the relevant supervisory authority (BlnBDI) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
We carefully evaluate third-party service providers and only work with vendors who meet our security standards. All sub-processors who handle personal data are listed in our Data Processing Agreement.
We continuously review and improve our security practices. This page will be updated when significant changes are made.
🔐 Security issue? Contact security@digimarkstudio.com — we take all reports seriously.
