Skip to main content

08 · Security

Security.
In detail.

Public summary of the technical and organisational measures implemented by MyKonci to protect its customers' and their guests' data.

Last updated · 2 April 2026

01Hosting and location

  • Hosted with Hetzner Online GmbH, datacentres in Germany (Gunzenhausen / Falkenstein).
  • No customer data hosted outside the European Union in normal operation.
  • Encrypted backups replicated to a second EU datacentre.
  • Hardware redundancy (storage, power, network) and automatic failover.

02Encryption

  • At rest: AES-256 for databases, storage volumes, backups and audio recordings.
  • In transit: TLS 1.3 on all communications (API, dashboard, webhooks, integrations). Older TLS versions are not accepted.
  • Key management: annual rotation, compartmentalised storage, logged access.
  • Application secrets: never in clear in the code, stored in a dedicated secrets manager.

03Multi-tenant isolation

  • Every customer has a dedicated identifier (client_id) isolated at the application level.
  • Double filtering of database queries: application-level filtering and PostgreSQL Row-Level Security (RLS).
  • Periodic penetration tests specifically targeting tenant isolation.
  • Within normal operation of the Service, no customer can access another customer's data.

04Identity and access management

  • Customer authentication: password with complexity requirements, two-factor authentication support (2FA/TOTP), expirable sessions.
  • MyKonci employee authentication: SSO with mandatory 2FA for any access to production systems.
  • Principle of least privilege: every internal role has access only to strictly necessary resources.
  • Access logging: every access to a customer's data is logged (identity, date, resource, IP), kept for 12 months and accessible by the administrator customer.

05Application security

  • Systematic code review before any production release.
  • Static analysis and automated dependency scans (CVE) on every build.
  • Protection against OWASP Top 10 attacks (injections, XSS, CSRF, broken auth, etc.).
  • Application-level rate limiting against brute force and scraping attacks.
  • DDoS protection at the infrastructure level.

06Backups and continuity

  • Daily full encrypted backups, rolling 30-day retention.
  • Periodic restore tests.
  • Documented disaster recovery plan (DRP) with RPO / RTO objectives.
  • Multi-zone redundancy for critical services.

07Monitoring and incident response

  • Continuous monitoring of systems (availability, performance, security).
  • 24/7 automated alert system for critical anomalies.
  • On-call team for Business and Enterprise plans.
  • Documented incident process: detection, qualification, containment, eradication, recovery, post-mortem.
  • Customer notification in case of data breach: within 48 hours of detection (preliminary report), full report within 7 days.

08Personnel and governance

  • Contractual confidentiality commitments for anyone accessing the data.
  • Regular training on security and data protection for all employees.
  • Physical access controls on the host's resources (Hetzner): biometrics, badges, CCTV (measures under Hetzner's responsibility).
  • Documented internal security policy, reviewed annually.

09Sub-processors and external components

The full list of sub-processors is in the privacy policy and in the DPA. Every sub-processor is contractually audited and subject to obligations equivalent to those imposed on MyKonci. The embedding models used for some semantic analyses are run locally on MyKonci infrastructure in the EU, with no external transfer.

10Audits and certifications

The Hetzner datacentres used by MyKonci are ISO 27001 certified. MyKonci is progressively putting external security audits in place and is available for customer audits under the arrangements set out in the DPA (article 11).

Professional customers can obtain on request:

  • A completed standardised security questionnaire (SIG Lite or equivalent).
  • Recent penetration test reports (under NDA).
  • The detailed list of sub-processors and the associated contractual measures.

Request to be sent to security@mykonci.com.

11Vulnerability reporting

MyKonci encourages responsible disclosure of vulnerabilities. The full policy is described on the Responsible Disclosure page. Direct contact: security@mykonci.com.

12Contact

For any security question: security@mykonci.com. For personal data requests: privacy@mykonci.com.