suPlayPoll

Security Summary

Last updated: April 2026

This page summarises at a high level how suPlay B.V. protects data processed by suPlayPoll. It is the public counterpart to our internal security policy and is referenced from our Service Level Agreement and Data Processing Agreement.

Need more detail? Customers on paid plans with a signed DPA can request a detailed technical-and-organisational-measures statement by emailing privacy@suplay.nl. The detailed statement covers version information, internal network topology, audit-log retention, incident-response drills, and subprocessor dependency graphs that are not appropriate for public disclosure.

Hosting and data residency

  • All application data is hosted on dedicated infrastructure in the Netherlands (EU).
  • No customer data is stored outside the EU, except the error-monitoring exports we disclose on our Subprocessors page.
  • Network-level controls ensure application services are not reachable directly from the public internet; traffic arrives via a reverse proxy over HTTPS only.

Transport and storage

  • TLS is enforced for all external traffic, with HTTP Strict Transport Security set at a long max-age across all subdomains.
  • Secrets are stored on disk with restrictive permissions owned by an unprivileged service user.
  • Database backups are encrypted and stored off-site in an EU region.

Authentication and credentials

  • Passwords are stored only as modern, salted hashes; plaintext passwords are never logged or retained.
  • Email-verification and password-reset tokens are hashed at rest; raw tokens appear only in the delivery email and expire quickly.
  • Session cookies are HTTP-only, Secure, and SameSite-scoped.
  • Rate limiting is applied to authentication, signup, password-reset, and file-upload endpoints.
  • Two-factor authentication for administrator accounts is on our near-term roadmap.

Application-level controls

  • All database queries are parameterised; user input is never concatenated into SQL.
  • Every request body is validated against a strict schema; unknown fields are rejected.
  • File uploads are authenticated, size-limited, and server-side validated; filenames are randomised.
  • Personally-identifying fields are scrubbed from application logs and error reports before leaving the server.
  • Administrator impersonation, where available for customer support, is signed, short-lived, and written to an audit log retained for 90 days.

Runtime isolation

  • The application runs as an unprivileged system user, not as root. A successful code-execution exploit in a dependency is bounded to the application’s own directory.
  • The operating system enforces mandatory access controls alongside standard filesystem permissions.
  • Supervised process management automatically restarts the service on failure.

Backups and recovery

  • Full database backups are taken every 24 hours.
  • Backups are encrypted and stored off-site in an EU region.
  • Retention: 30 rolling daily snapshots and 12 rolling monthly snapshots.
  • Restore procedures are exercised periodically against a scratch environment.
  • Recovery Point Objective 24 h / Recovery Time Objective 8 h (see SLA).

Monitoring and incident response

  • Application errors are tracked by an error-monitoring subprocessor with personally-identifying fields scrubbed before transmission.
  • Network-level brute-force protection is in place for administrative access.
  • Tabletop exercises are run periodically against realistic breach scenarios; the resulting runbook is maintained alongside the code.
  • Breach-notification commitment: affected customers are contacted within 72 hours of confirmation, per GDPR Art. 33.

Organisational measures

  • Source code is reviewed before deployment and deploys follow a scripted, auditable path.
  • Administrative-role accounts are reviewed annually.
  • Dependencies are reviewed at least monthly; critical security advisories are handled within 7 days of disclosure.
  • All subprocessors operate under a signed DPA — see our Subprocessors page.

Reporting a vulnerability

If you believe you’ve found a security issue in suPlayPoll, please email privacy@suplay.nl with technical details. We acknowledge reports within 5 business days and will not pursue legal action against researchers acting in good faith under a responsible-disclosure process.