Security & Trust Center

Your data is safe with us

We take security seriously. Here's exactly how we protect your data, what certifications we hold, and how we comply with EU regulations.

Last updated: June 2026
CSA STAR Level 1
CSA STAR
Cloud Security Alliance
Self-Assessment (CAIQ v4.1)
Active
๐Ÿข
Microsoft Partner
MPN ID: 7093290
ISV Success Program
Active
๐Ÿ‡ช๐Ÿ‡บ
GDPR Compliant
Belgian company ยท EU
Data Processing Agreement
Active
๐Ÿ›ก๏ธ
Microsoft AppSource
SSPA Compliant
Listed & Verified
Active
Infrastructure

Cloud infrastructure

Badex Signature is built on Microsoft Azure and Proxmox, with all customer data hosted in the European Union.

๐Ÿ‡ง๐Ÿ‡ช Data stays in Belgium
All customer data is stored and processed in Azure Belgium Central (Brussels region). Your email signature data never leaves the European Union. Public static assets are served via Cloudflare R2 (EU-resident, zero-egress) at assets.badex.app.
โ˜๏ธ
Microsoft Azure (Belgium Central)
Primary cloud infrastructure for application hosting, blob storage, and CDN. ISO 27001 certified, SOC 2 audited, GDPR compliant.
๐Ÿ–ฅ๏ธ
Proxmox Hypervisor
On-premises VM management with full isolation between services. SMTP processor, application server, and monitoring run on separate VMs.
๐ŸŒ
Cloudflare R2 CDN
Static assets and brand resources served via Cloudflare R2 at assets.badex.app with SSL, caching, and DDoS protection.
๐Ÿ“Š
Azure Application Insights
Real-time performance monitoring, exception tracking, and uptime alerts. Separate alerting for uptime, exceptions, and backup verification.
Encryption

Encryption everywhere

All data is encrypted in transit and at rest using industry-standard algorithms.

๐Ÿ”’
TLS 1.2+ (In Transit)
All web traffic encrypted with TLS 1.2 minimum. HTTPS enforced on all endpoints. HTTP requests automatically redirected to HTTPS.
๐Ÿ’พ
AES-256 (At Rest)
All data is encrypted at rest using AES-256. Application database MariaDB on Azure-managed Linux VM and backup data on Azure Blob Storage both use AES-256 storage-layer encryption.
๐Ÿ“ง
STARTTLS (SMTP)
All SMTP connections use STARTTLS on port 587. Plaintext SMTP connections are rejected. DKIM signing applied to all outbound emails.
๐Ÿ”‘
Azure Key Vault
All sensitive secrets (API keys, credentials, certificates) stored in Azure Key Vault with hardware security module (HSM) backing and audit logging.
โœ‰๏ธ DKIM ยท SPF ยท DMARC for every email
Every email processed by Badex Signature is DKIM-signed using RSA-2048 keys unique to your domain. SPF records are configured to pass. DMARC alignment is maintained for both M365 and generic SMTP flows, ensuring maximum email deliverability and anti-spoofing protection.
Access Control

Who can access what

Access to production systems is strictly controlled and logged. No unauthorized access is possible.

  • WireGuard VPN only: All SSH access to production servers requires an active WireGuard VPN connection. No direct SSH from the internet.
  • SSH key authentication: Password-based SSH is disabled on all servers. Only cryptographic key pairs are accepted.
  • Least privilege principle: Every system account has only the permissions required for its specific function. Admin routes protected by separate middleware.
  • Multi-tenant isolation: Tenant data is strictly isolated by company_id. No cross-tenant data access is possible at the application layer.
  • Separation of duties: Admin panel uses dedicated superadmin middleware, separate from regular user routes.
  • Session management: Admin sessions have configurable timeouts. All sessions invalidated on logout.
  • Bcrypt password hashing: All passwords hashed with bcrypt (cost factor 12). No plaintext passwords ever stored.
๐Ÿ”ญ
Security Monitoring
Wazuh SIEM deployed on dedicated VM for continuous threat detection and endpoint security monitoring across all production servers. Azure Security Center provides cloud workload protection with vulnerability assessment and threat intelligence feeds.
Data & Privacy

Your data, your control

We act as a data processor. You are the data controller. Your data is never sold, never used for advertising, and never shared beyond what's necessary to operate the service.

Data Type Purpose Storage Role
Email addresses, names, titles Signature personalization via Azure AD / M365 sync Azure Belgium Central Processor
Company logos & signature images Rendered in email signatures Azure Blob (Belgium) Processor
SMTP credentials (encrypted) Authentication for SMTP relay MariaDB (encrypted at rest) Processor
Billing information Subscription management Stripe (PCI DSS Level 1) Controller
Application logs Debugging, security monitoring Azure App Insights (EU) Processor
๐Ÿ“‹ GDPR Rights
As a Belgian company (BE0743.754.923) operating under GDPR, you have the right to access, rectify, delete, and export your data at any time. Contact privacy@badex.app to exercise your rights. Data deletion requests are processed within 72 hours.
Compliance

Certifications & standards

Badex Signature has undergone rigorous self-assessment against global cloud security standards and is pursuing additional certifications.

๐ŸŒ
CSA STAR (CAIQ v4.1)
Completed full 285-question Consensus Assessments Initiative Questionnaire (CAIQ v4.1) and published in the Cloud Security Alliance STAR Registry. Covers all 17 CCM security domains.
๐Ÿ‡ช๐Ÿ‡บ
GDPR (EU Regulation 2016/679)
Full compliance with EU General Data Protection Regulation. Data Processing Agreement (DPA) available for all customers. Belgian DPA (Gegevensbeschermingsautoriteit) jurisdiction.
๐Ÿข
Microsoft SSPA
Compliant with Microsoft Supplier Security and Privacy Assurance program as required for Microsoft AppSource listing and Partner Network membership.
๐Ÿ’ณ
PCI DSS (via Stripe)
Payment card data handled exclusively by Stripe (PCI DSS Level 1 certified). Badex never stores, processes, or transmits card numbers. Zero PCI scope for our systems.
Backups

Data backup & recovery

Your data is backed up automatically every day across multiple locations.

  • Daily automated backups: Database and file backups run every day at 02:00 UTC.
  • Azure Blob Storage: Backups stored in Azure Blob (badexstorage, Belgium Central) with Azure geo-redundant storage (GRS).
  • Local backup copy: Secondary backup maintained on local storage for fast recovery.
  • Backup monitoring: Azure alert (backup-missing-alert) fires immediately if a daily backup is not detected.
  • Recovery tested: Restore procedures tested periodically. Target recovery time objective (RTO): 4 hours. Recovery point objective (RPO): 24 hours.
  • VM snapshots: Proxmox VM snapshots taken before major infrastructure changes.
Incident Response

How we handle security incidents

We have a defined incident response process to minimize impact and communicate transparently.

๐Ÿ”
Detection
Continuous monitoring via Azure alerts, Wazuh SIEM, and Application Insights. Most incidents detected automatically within minutes.
๐Ÿ”’
Containment
Affected systems isolated via WireGuard VPN access controls. Service can be suspended or rerouted within minutes if necessary.
๐Ÿ”ง
Remediation
Hotfixes deployed via CI/CD pipeline (approx. 22 seconds). Rollback to previous version available instantly via git revert.
๐Ÿ“ข
Notification
Affected customers notified within 72 hours per GDPR Article 33. Belgian DPA notified as required. Post-incident report published for significant events.
๐Ÿšจ Report a vulnerability
If you discover a security vulnerability in Badex Signature, please disclose it responsibly by emailing security@badex.app. We commit to acknowledging your report within 48 hours and keeping you informed of our progress. We do not pursue legal action against security researchers acting in good faith.
Sub-processors

Third-party sub-processors

We use the following sub-processors to deliver the service. All are GDPR compliant and bound by Data Processing Agreements.

Provider Purpose Location
Microsoft Azure Cloud infrastructure, storage, CDN, monitoring ๐Ÿ‡ง๐Ÿ‡ช Belgium Central (EU)
Microsoft 365 / Graph API Email delivery (M365 tenants), Azure AD user sync ๐Ÿ‡ช๐Ÿ‡บ EU datacenters
Stripe Payment processing and subscription billing ๐Ÿ‡ฎ๐Ÿ‡ช Ireland (EU)
Groq AI features (per-tenant API keys, optional) USA (SCCs in place)
Hetzner Proxmox hypervisor hosting ๐Ÿ‡ฉ๐Ÿ‡ช Germany (EU)
Trustpilot Customer review collection (BCC only) ๐Ÿ‡ฉ๐Ÿ‡ฐ Denmark (EU)

We will notify customers via email at least 30 days before adding new sub-processors that have access to personal data. To receive these notifications, ensure your account email is current.

Contact

Security & privacy contacts

Reach us directly for security questions, vulnerability reports, or data subject requests.

Have a security question?
Our security team responds within 48 hours, 7 days a week.
๐Ÿ”’ security@badex.app ๐Ÿ” privacy@badex.app ๐Ÿ“‹ Download DPA
Company Details
Company: Badex
VAT: BE0743.754.923
Location: Zoersel, Belgium
DPA Authority: Gegevensbeschermingsautoriteit (BE)