Security
Last updated: May 2026
This page summarises the technical and organisational measures reserveme.ai applies to protect the Platform, the Widget and Customer Data, as well as the current register of sub-processors engaged to deliver the service. It is the public extract of the Security & Sub-Processors Policy referenced from our Data Processing Addendum.
1. Framework and scope
Our measures are calibrated to Article 32 GDPR and the Swiss Federal Act on Data Protection (FADP) and cover the Platform, the embeddable Widget, the APIs, and the backend infrastructure that supports machine-vision extraction, AI inference, quotation generation, outbound messaging (email, WhatsApp, SMS) and Workflow Automations.
2. Access and identity
Least-privilege, role-based access to all production systems with unique named accounts. Mandatory multi-factor authentication for every administrator and engineer reaching production. Quarterly access reviews and immediate revocation on role change or separation. Named-user credentials must not be shared between individuals.
3. Encryption
TLS 1.2+ for all data in transit, including Platform traffic, the Widget and our APIs. AES-256 at rest for databases, object storage and backups. Keys are managed by the cloud provider's KMS with annual rotation. Customer-uploaded documents (load charts, capacity curves, manuals) are encrypted before being processed by the machine-vision module.
4. Network and application security
Segregated production VPC with private subnets for data stores, allow-list security groups, web-application firewall (WAF) and DDoS mitigation. Secure software development lifecycle with peer review, dependency scanning (SCA), static analysis (SAST), secrets scanning and pre-production vulnerability scanning. Regular penetration testing by qualified third parties.
5. Logging, monitoring and incident response
Centralised, tamper-evident audit logging with at least 12 months of retention. Intrusion detection, anomaly alerting and a 24Ă—7 on-call rotation. We commit to notify Customers of a Personal Data Breach affecting their Customer Data without undue delay and in any event within 72 hours of becoming aware, as set out in our DPA. Vulnerabilities can be reported to security@reserveme.ai.
6. Resilience and backups
Automated daily encrypted backups with 30-day retention, point-in-time recovery on production databases, multi-AZ failover and documented restore tests at least annually. Reliance on enterprise cloud regions certified under SOC 2, ISO 27001 or equivalent for physical and operational security (AWS, Azure, Google Cloud™).
7. Sub-processor register
We engage the following sub-processors to deliver the Platform. The list is current as of the "last updated" date above; Customers receive at least 14 days' notice of any addition or replacement through the Security & Sub-Processors Policy. - Amazon Web Services — cloud infrastructure (compute, storage, databases). US and EU regions. Safeguard: EU Standard Contractual Clauses + DPA. - Google Cloud Platform™ — AI inference, mapping and routing, complementary infrastructure. US and EU regions. EU SCCs + DPA. - OpenAI, LLC — foundation LLM inference for quotation, maintenance and Widget conversations. US. EU SCCs + DPA. - Anthropic, PBC — foundation LLM inference (backup and specialised tasks). US. EU SCCs + DPA. - Stripe, Inc. — payment processing and subscription billing. US and Ireland. EU SCCs + DPA. - SendGrid / Twilio — transactional email and SMS sent on Customer's behalf. US. EU SCCs + DPA. - Meta Platforms, Inc. — WhatsApp Business API, template approval and delivery metadata for messages sent by Customers through the Platform. US and Ireland. EU SCCs + DPA. - Sentry — pseudonymised application error monitoring. US. EU SCCs + DPA. - Intercom / HubSpot — customer support and CRM. US and Ireland. EU SCCs + DPA.
8. Reporting and contact
Security researchers and Customers can report suspected vulnerabilities, abuse or incidents to security@reserveme.ai. Please provide steps to reproduce, affected endpoints and any supporting evidence; we acknowledge receipt and triage within Swiss business hours. Coordinated disclosure is appreciated — please avoid accessing Customer Data, running intrusive scans on production, or using automated exploitation tooling.
Security contact
To report a vulnerability or security incident, reach our security team directly.
security@reserveme.ai