Skip to main content

Security & Trust

Your data is not our product

BestWebby is built on the principle that merchants should control their data, their payments, and their customer relationships. Security is infrastructure — not a feature tier.

In progress

SOC 2 Type II

Audit scheduled for Q4 2026. Controls are being implemented ahead of the formal audit; certification pending completion.

Active

GDPR-aligned controls

Built around GDPR principles: right-to-erasure and data-export workflows, and a DPA available for EU merchants.

Active

Credential encryption

Sensitive credentials and secrets (API keys, integration tokens) are encrypted at the column level. Full-disk and backup encryption are on the hardening roadmap.

Active

Encryption in transit

TLS 1.3 enforced on all connections. HTTP Strict Transport Security with a 2-year max-age. No HTTP fallback.

Infrastructure overview

  • Hosted in EU data centers on dedicated infrastructure
  • PostgreSQL with automated daily backups
  • Redis-backed job queues for background processing
  • Cloudflare for CDN, bot protection, and DDoS mitigation
  • Private network between all internal services — no public service-to-service traffic
  • Secrets managed via environment variables; never committed to version control

GDPR & Privacy

BestWebby is built around GDPR principles. We act as a Data Processor for merchant data and as a Data Controller for our own users. The full Data Processing Agreement (DPA) is available at /legal/dpa.

Merchants can request a full data export or erasure at any time via the dashboard Settings page or by emailing our contact form. We respond to all requests within 72 hours.

Responsible disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover an issue, please report it privately to our security team before public disclosure. We commit to acknowledging reports within 24 hours and resolving valid reports within 30 days.

our contact form

PGP key available on request. Please include detailed reproduction steps and estimated impact.

Reliability

Built for high availability with redundant infrastructure and continuous monitoring.

Security questions? Let's talk.

Enterprise security reviews, custom DPAs, and on-premise options available.

Contact security team