Security & Trust Center

Security and privacy by design

Badex Signature is built with secure infrastructure, privacy-first principles and clear data protection controls for companies using Microsoft 365 and SMTP email environments.

Last updated: May 2026
CSA STAR Level 1
CSA STAR
Cloud Security Alliance
STAR Registry self-assessment
Active
๐Ÿข
Microsoft ecosystem
Partner ID: 7093290
Microsoft 365 integration
Active
๐Ÿ‡ช๐Ÿ‡บ
GDPR Compliant
Belgian company ยท EU
Data Processing Agreement
Active
๐Ÿ›ก๏ธ
AppSource listing
Public marketplace
Product availability
Active
Infrastructure

Cloud infrastructure

Badex Signature is built on a combination of cloud infrastructure and dedicated server infrastructure, with a strong focus on EU data protection and operational security.

๐Ÿ‡ง๐Ÿ‡ช EU-focused data protection
Badex is based in Belgium and designs its platform around European privacy expectations. Customer data, signature assets and operational systems are handled with GDPR-oriented safeguards and controlled access.
โ˜๏ธ
Cloud infrastructure
Cloud services are used for storage, delivery, monitoring and platform operations. Infrastructure choices are made with security, availability and EU data protection in mind.
๐Ÿ–ฅ๏ธ
Dedicated server infrastructure
Dedicated virtualized infrastructure is used for selected workloads such as application services, SMTP processing and monitoring, with service separation between components.
๐ŸŒ
Secure asset delivery
Static assets and signature images are served through secured HTTPS endpoints with caching and controlled delivery for performance and reliability.
๐Ÿ“Š
Monitoring and alerting
Application monitoring, exception tracking and operational alerts help detect issues quickly and keep the platform stable.
Encryption

Encryption everywhere

Badex Signature uses encryption and secure transport practices to protect data during transmission and storage.

๐Ÿ”’
TLS 1.2+ (In Transit)
All web traffic encrypted with TLS 1.2 minimum. HTTPS enforced on all endpoints. HTTP requests automatically redirected to HTTPS.
๐Ÿ’พ
Encryption at rest
Storage systems and sensitive data are protected using encryption-at-rest controls where supported by the underlying infrastructure.
๐Ÿ“ง
STARTTLS (SMTP)
All SMTP connections use STARTTLS on port 587. Plaintext SMTP connections are rejected. DKIM signing applied to all outbound emails.
๐Ÿ”‘
Secret management
API keys, credentials and certificates are handled as sensitive secrets and are separated from public application code.
โœ‰๏ธ DKIM ยท SPF ยท DMARC for every email
Every email processed by Badex Signature is DKIM-signed using RSA-2048 keys unique to your domain. SPF records are configured to pass. DMARC alignment is maintained for both M365 and generic SMTP flows, ensuring maximum email deliverability and anti-spoofing protection.
Access Control

Who can access what

Access to production systems is strictly controlled and logged. Access to production systems is restricted, monitored and based on least-privilege principles.

  • Restricted administration: Administrative access is limited to authorized personnel and protected with secure access methods.
  • Key-based access: Server access is protected using secure authentication practices such as SSH keys where applicable.
  • Least privilege principle: Every system account has only the permissions required for its specific function. Admin routes protected by separate middleware.
  • Multi-tenant isolation: Tenant data is strictly isolated by company_id. No cross-tenant data access is possible at the application layer.
  • Separation of duties: Admin panel uses dedicated superadmin middleware, separate from regular user routes.
  • Session management: Admin sessions have configurable timeouts. All sessions invalidated on logout.
  • Bcrypt password hashing: All passwords hashed with bcrypt (cost factor 12). No plaintext passwords ever stored.
๐Ÿ”ญ
Security Monitoring
Wazuh SIEM deployed on dedicated VM for continuous threat detection and endpoint security monitoring across all production servers. Security monitoring and alerting are used to detect suspicious activity and operational anomalies across production systems.
Data & Privacy

Your data, your control

We act as a data processor. You are the data controller. Your data is never sold, never used for advertising, and never shared beyond what's necessary to operate the service.

Data Type Purpose Storage Role
Email addresses, names, titles Signature personalization via Azure AD / M365 sync EU infrastructure Processor
Company logos & signature images Rendered in email signatures EU infrastructure Processor
SMTP credentials (encrypted) Authentication for SMTP relay Application database Processor
Billing information Subscription management Stripe (PCI DSS Level 1) Controller
Application logs Debugging, security monitoring Monitoring systems Processor
๐Ÿ“‹ GDPR Rights
As a Belgian company (BE0743.754.923) operating under GDPR, you have the right to access, rectify, delete, and export your data at any time. Contact privacy@badex.app to exercise your rights. Data deletion requests are processed within 72 hours.
Compliance

Certifications & standards

Badex Signature follows recognized security and privacy practices and maintains public trust documentation for customers and partners.

๐ŸŒ
CSA STAR (CAIQ v4.1)
Badex Signature maintains a Cloud Security Alliance STAR self-assessment entry to document security controls and cloud security practices.
๐Ÿ‡ช๐Ÿ‡บ
GDPR (EU Regulation 2016/679)
Full compliance with EU General Data Protection Regulation. Data Processing Agreement (DPA) available for all customers. Belgian DPA (Gegevensbeschermingsautoriteit) jurisdiction.
๐Ÿข
Microsoft ecosystem readiness
Badex Signature is designed for Microsoft 365 and Exchange Online environments, with public product availability and partner ecosystem positioning.
๐Ÿ’ณ
PCI DSS (via Stripe)
Payment card data handled exclusively by Stripe (PCI DSS Level 1 certified). Badex never stores, processes, or transmits card numbers. Zero PCI scope for our systems.
Backups

Data backup & recovery

Platform data is backed up regularly to support operational recovery and business continuity.

  • Daily automated backups: Database and file backups run every day at 02:00 UTC.
  • Backup storage: Backups are stored separately from the production application environment where applicable.
  • Local backup copy: Secondary backup maintained on local storage for fast recovery.
  • Backup monitoring: Azure alert (backup-missing-alert) fires immediately if a daily backup is not detected.
  • Recovery planning: Restore procedures are reviewed and improved as the platform evolves.
  • VM snapshots: Proxmox VM snapshots taken before major infrastructure changes.
Incident Response

How we handle security incidents

We have a defined incident response process to minimize impact and communicate transparently.

๐Ÿ”
Detection
Continuous monitoring via Azure alerts, Wazuh SIEM, and Application Insights. Most incidents detected automatically within minutes.
๐Ÿ”’
Containment
Affected systems isolated via WireGuard VPN access controls. Service can be suspended or rerouted within minutes if necessary.
๐Ÿ”ง
Remediation
Hotfixes and rollback procedures can be applied quickly using version-controlled deployment workflows.
๐Ÿ“ข
Notification
Affected customers notified within 72 hours per GDPR Article 33. Belgian DPA notified as required. Post-incident report published for significant events.
๐Ÿšจ Report a vulnerability
If you discover a security vulnerability in Badex Signature, please disclose it responsibly by emailing security@badex.app. We commit to acknowledging your report within 48 hours and keeping you informed of our progress. We do not pursue legal action against security researchers acting in good faith.
Sub-processors

Third-party sub-processors

We use the following sub-processors to deliver the service. All are GDPR compliant and bound by Data Processing Agreements.

Provider Purpose Location
Microsoft Azure Cloud infrastructure, storage, delivery and monitoring ๐Ÿ‡ง๐Ÿ‡ช EU / selected cloud regions
Microsoft 365 / Graph API Email delivery (M365 tenants), Azure AD user sync ๐Ÿ‡ช๐Ÿ‡บ EU datacenters
Stripe Payment processing and subscription billing ๐Ÿ‡ฎ๐Ÿ‡ช Ireland (EU)
Groq AI features (per-tenant API keys, optional) USA (SCCs in place)
Hetzner Dedicated server hosting ๐Ÿ‡ฉ๐Ÿ‡ช Germany (EU)
Trustpilot Customer review collection (BCC only) ๐Ÿ‡ฉ๐Ÿ‡ฐ Denmark (EU)

We will notify customers via email at least 30 days before adding new sub-processors that have access to personal data. To receive these notifications, ensure your account email is current.

Contact

Security & privacy contacts

Reach us directly for security questions, vulnerability reports, or data subject requests.

Have a security question?
We review security and privacy messages as quickly as possible and prioritize vulnerability reports.
๐Ÿ”’ security@badex.app ๐Ÿ” privacy@badex.app ๐Ÿ“‹ Download DPA
Company Details
Company: Badex
VAT: BE0743.754.923
Location: Zoersel, Belgium
DPA Authority: Gegevensbeschermingsautoriteit (BE)