Security · Last updated 2026-05-22
How we keep student data safe.
This page describes Storgy’s security posture in plain English: how we encrypt data, where it lives, what we do when something breaks, and how to report a vulnerability. The last section names what we do not have today, stated plainly. For the legal privacy policy see /privacy/; for the sub-processor list and AI policy see /trust/.
Encryption
In transit, at rest, and in use.
Transit
All traffic between your browser and Storgy is encrypted with TLS 1.3 by default. The edge is terminated by Cloudflare; the origin is terminated by nginx 1.24 with HSTS preload, OCSP stapling, and only ECDHE-AES-GCM cipher suites enabled.
Rest
Application data lives in Postgres 16 on a dedicated Hetzner box in Falkenstein, Germany. The filesystem is encrypted with LUKS (AES-256-XTS). Database backups are encrypted with age (X25519) before they leave the host.
In use
Editorial drafts and humaniser passes are sent to Anthropic and OpenAI under their commercial API terms — both contractually exclude API inputs from model training by default. Customer paste content is never reused for training on our side either.
Data residency
Primary data lives in the EU. The edge is cache-only.
EU primary
All user data — accounts, teacher records, student work, billing references — lives in a Hetzner-hosted Postgres in Falkenstein, Germany. Hetzner is a GDPR-compliant German company under the SCCs.
US edge cache
Cloudflare fronts the site globally for read-only HTML and image caching. The edge holds no PII: no cookies are forwarded into the cache key, no Authorization headers are cached, and signed download URLs are origin-issued. The edge is a transit and cache layer, not a data store.
Sub-processors
The full list of sub-processors with privacy-policy links lives on the public /trust/ page.
Breach notification
72 hours to the lead supervisory authority. No exceptions.
Detection
Application logs are tailed in real time; database access is logged with row-level audit triggers for the privileged tables (users, billing, school leads).
Response
Confirmed breaches affecting personal data are reported to the lead supervisory authority within 72 hours per GDPR Article 33. Affected schools and individual users are notified by email within the same window when the risk to rights and freedoms is material.
DPA
The SDPC National DPA (when counter-signed by your district) governs this notification process for school customers in addition to the underlying GDPR obligation.
Vulnerability disclosure
Responsible disclosure with a 90-day window.
Where to report
Email security@storgy.com. Encrypted reports via age (X25519) public key on request.
Window
We commit to acknowledging reports within 5 business days and to releasing a fix or coordinated public disclosure within 90 days. Critical vulnerabilities with active exploitation are patched and disclosed as soon as a fix lands.
Safe harbour
Good-faith research under this policy will not result in legal action from Storgy. Do not exfiltrate user data, do not pivot to other systems, do not extort.
Reports go to security@storgy.com.
What we do not have today
Stated plainly, without hand-waving.
Most security pages are written to flatter the certification logos at the top. Storgy doesn’t have those logos yet, so this section says so directly. If your district requires any of these as a hard prerequisite, we are not yet a fit — and we’d rather you find that out here than after a procurement call.
No SOC 2 today
We do not hold a SOC 2 Type I or Type II report. We are a single-engineer team and a SOC 2 audit is not realistic at this stage. If your district requires SOC 2 as a hard prerequisite, we are not yet a fit.
No ISO 27001 today
We do not hold ISO 27001 certification either. The same constraint applies.
No third-party penetration test today
We have not commissioned a paid third-party penetration test. The application is built on a small, well-understood stack (Next.js 15, Postgres, better-auth, Paddle, Resend) and we follow the OWASP ASVS Level 1 controls internally, but there is no external attestation behind that.
What we do have
GDPR-compliant EU data residency, a signed SDPC National DPA on offer to every district, the disclosures on this page, and a public sub-processor list at /trust/. That is the honest baseline.