Security

Your database backups are as sensitive as the databases themselves. Here is exactly what we do to keep them that way.

Encryption

Backups are encrypted with AES-256-GCM on the machine that produces them, before leaving the customer's network. A random 12-byte nonce is generated per backup and incremented per chunk; the authentication tag is verified on restore, so a modified or truncated ciphertext fails to decrypt rather than producing silent garbage.

Keys are 256 bits in both product paths, but the derivation differs:

The threat model we defend against

The threat model we do not

Key management

The encryption key is generated once by the customer with openssl rand -hex 32 and placed in /etc/resistro-agent/env. It never leaves that host. Resistro Cloud stores only a SHA-256 fingerprint of the key per backup, to verify that restore attempts use the correct key. The key itself is not in our database, logs, metrics, or support channels.

If you lose the key, we cannot help you restore — this is the price of the guarantee that nobody but you can.

Data residency

Access control

Operational security

What we are doing — and what we are not

We are transparent about where we are in building trust. Enterprise buyers need to know, not guess.

ControlStatus
Client-side AES-256-GCM encryptionLive
EU-only data path (Hetzner, DE)Live
Tenant-prefixed storage shardingLive
Per-tenant rate limitsLive
Offered: AVV (Auftragsverarbeitungsvertrag / DPA)Live — full template · PDF
Independent penetration testPlanned Q3/2026
SOC 2 Type IIPlanned — no fixed date
ISO 27001 certificationNot planned currently
Bug-bounty programmePlanned Q3/2026

Responsible disclosure

If you find a security issue, please email security@…. We commit to acknowledging within 48h, a fix or mitigation timeline within 7 days, and public credit once the fix is shipped (unless you prefer anonymity).

Questions your procurement team will ask

We maintain a standard vendor-security questionnaire (BSI Grundschutz / VAIT / typical DACH-B2B format). Ask us and we'll send it within one business day.