Trust & Data Protection
Your data. Your control. Hosted in Europe.
Last updated: 22 April 2026
Current controls
- EU-hosted application, database, and object storage for core platform data.
- Profiles private by default, with user-controlled visibility and search indexing.
- Chronological feed by default with public transparency documentation for feed modes.
- Strict security headers across the platform, with framework-required CSP exceptions still in place.
Infrastructure
MainDeck runs on sovereign EU infrastructure. All data is stored and processed on servers in European Union data centres.
| Service | How | Location |
|---|---|---|
| Application servers | Dedicated EU hosting | Germany |
| Database (PostgreSQL) | Self-hosted | EU data centre |
| File storage | Self-hosted (S3-compatible) | EU data centre |
| CDN | BunnyNet | Slovenia (EU edge nodes) |
| Email delivery | Soverin (SMTP relay, NL) with local DKIM signing | Netherlands |
| Payment processing | Mollie B.V. | Netherlands |
Encryption
- In transit: All connections use TLS 1.3. HTTPS enforced across the platform.
- Personally identifiable information: Email addresses and sensitive profile data are encrypted at the application level using AES-256-GCM before storage in the database. Lookups use deterministic hash indexes.
- Messages: All private message content is encrypted at the application level (AES-256-GCM) before storage. A database export alone reveals no readable message content.
- Passwords: Hashed with Argon2id (memory-hard algorithm), never stored in plain text.
- Authentication tokens: SHA-256 hashed before storage. Constant-time comparison prevents timing attacks.
- Email delivery: Outgoing email signed with DKIM, protected by SPF and DMARC policies.
- Post-quantum readiness: Symmetric encryption (AES-256) and password hashing (Argon2id) are quantum-safe by design.
Access controls
- Short-lived JWT access tokens (15-minute expiry) with rotating refresh tokens.
- Multi-factor authentication (TOTP) available for all accounts.
- Account lockout after repeated failed login attempts with exponential backoff.
- Role-based access for company pages and administrative functions.
- Access to production data is restricted to authorised personnel.
Application security
As a minimum, every code change goes through the following security checks before deployment:
- OWASP Top 10: All code reviewed against the OWASP Top 10 web application security risks.
- CWE Top 25: Automated static analysis runs on every code change, scanning for the 25 most dangerous software weaknesses.
- Dependency auditing: Third-party packages checked for known vulnerabilities before every deployment.
- Input validation: All user input validated and sanitised server-side. File uploads verified by content inspection.
- Malware scanning on every upload: Every file you upload — avatars, banners, post media, message attachments, deck documents and CVs — is scanned by a self-hosted ClamAV daemon before it's written to storage. Infected files are rejected on the way in. The scanner is on the same EU infrastructure as the rest of the platform; no third-party scanning service ever sees your files.
- Image metadata stripped on upload: Every uploaded image (avatars, banners, post media, message attachments, deck documents) is re-encoded server-side, which removes EXIF, IPTC, XMP and ICC metadata before the file reaches storage. GPS coordinates, camera serial numbers, capture timestamps and similar identifying tags are dropped on the way in — what we store is what other people see.
- Rate limiting: All API endpoints rate-limited to prevent abuse.
- Breached password check: Passwords are screened against the Have I Been Pwned corpus using k-anonymity: only the first 5 characters of a SHA-1 hash are sent. No identifiers, no full hashes, no way to reverse the lookup. Passwords appearing in 10 or more known breaches are rejected at registration and password reset.
- Runtime security verification (aligned with OWASP ASVS Level 2): Over 100 automated integration tests run against a real Postgres + Fastify stack to verify a meaningful subset of ASVS Level 2 controls, including credential storage, multi-factor authentication, sensitive-transaction step-up, credential recovery, encryption of personal data at rest, access control, input validation, and HTTP security. The suite runs in CI before every deployment and locally before every push. We are not third-party audited and do not claim full Level 2 certification.
- OWASP SAMM: The CI/CD pipeline enforces secure development practices: static analysis (Semgrep with OWASP Top 10 and CWE rulesets), dependency vulnerability scanning, strict type checking, and automated security tests. Every code change must pass these gates before deployment.
Security standards
While MainDeck is not currently ISO 27001 certified, our security practices are aligned with key ISO 27001:2022 controls:
- A.8.2 Access management
- A.8.5 Authentication
- A.8.24 Cryptography
- A.8.25 Secure development
- A.8.26 Vulnerability management
- A.8.28 Logging & monitoring
Your rights
As a European platform, we comply fully with the General Data Protection Regulation.
Access
Download a complete copy of your data at any time.
Deletion
Permanently delete your account and all associated data.
Portability
Data export in standard formats (CSV).
Consent
Marketing communications require explicit opt-in. Withdraw any time.
Rectification
Edit or correct your personal information at any time.
Legal bases: Contract performance (Art. 6(1)(b)) for providing the service, Consent (Art. 6(1)(a)) for marketing. Platform analytics are fully anonymous (no personal data collected).
Data retention
| Data type | Retention |
|---|---|
| Active account data | As long as your account exists |
| Deleted account data | Removed within 14 days of deletion request |
| Unverified registrations | Automatically deleted after 14 days |
| Operational security log files | Rotated after 14 days |
| Security audit records | Retained up to 12 months; hashed IP and user-agent fields scrubbed after 180 days |
| Payment records | As required by Dutch tax law (7 years) |
Subprocessors
We minimise third-party data processing. All core services are self-hosted.
| Subprocessor | Purpose | Location |
|---|---|---|
| Mollie B.V. | Payment processing | Netherlands |
| BunnyNet d.o.o. | Content delivery (CDN) | Slovenia |
| DeepL SE | Content translation (on-demand, user-initiated) | Germany |
| Soverin B.V. | Transactional email delivery (SMTP relay) | Netherlands |
Public registry lookups.When a company saves a VAT number in their billing details, we send the VAT number to the European Commission's VIES service to verify it for B2B reverse-charge VAT treatment. VIES is a public EU registry, not a data processor, and is the source of evidence that EU tax inspectors require under Council Directive 2006/112/EC.
| Public registry | Purpose | Location |
|---|---|---|
| VIES (European Commission, DG TAXUD) | EU VAT number validation for B2B reverse-charge eligibility (companies only) | EU |
User-initiated portability transfers. When you choose to use the LinkedIn import feature, MainDeck receives a copy of selected fields from LinkedIn directly, on your explicit authorisation under your right to data portability (Art. 20 GDPR). LinkedIn is an independent data controller, not our processor, and no Art. 28 data-processing agreement exists or is required for this transfer; the data flows controller-to-controller under your authority. The transfer is initiated by you, can be skipped entirely, and never happens automatically. See the Privacy Policy for the categories received and how connection names (third-party data) are handled.
| Source platform | Purpose | Location |
|---|---|---|
| LinkedIn (LinkedIn Ireland Unlimited Company) | Optional profile / career / connections import on user authorisation (Art. 20 GDPR portability) | Ireland (EU/EEA) |
Cookies
MainDeck uses a minimal set of cookies, all essential for the service to function:
- Authentication cookie (httpOnly, secure, sameSite: strict) stores your session. Without it, you cannot stay logged in.
- Theme preference (first-party cookie) remembers your light/dark mode choice across visits. It is used only to render the interface with your chosen appearance.
- Locale preference (cookie) remembers your language choice.
- LinkedIn import state(httpOnly, sameSite: lax, first-party) is set only when you start the optional LinkedIn import flow. It binds the OAuth state token to your browser so an attacker cannot replay someone else's authorization. Discarded after the import completes or the flow is cancelled. Not set if you never use the LinkedIn import.
We do not use third-party tracking pixels or third-party analytics cookies. Advertising on MainDeck is contextual by default (based on page content, not your behaviour) and requires no cookies. Behavioural ad personalisation is available only with your explicit opt-in and uses first-party cookies only - never shared with third parties.
Incident response
- Relevant supervisory authority notified within 72 hours (GDPR Article 33).
- Affected users notified without undue delay if breach poses high risk.
- All security incidents logged, investigated, and documented.
Report a vulnerability
If you discover a security vulnerability, please report it responsibly via our contact page. Select “Security” as the category.
Data Protection Officer
EnableNext, KvK 53538633
Oder 20, 2491DC Den Haag, Nederland
For privacy enquiries, please use our contact form and select “Privacy and Data” as the category.