Security Overview

Last updated: January 2025

1. Who We Are

Sainer is a service provided by Kwartiermakers Pioniers B.V., a company registered in the Netherlands.

• Chamber of Commerce (KvK): 99256010
• Address: Marie Baronstraat 1, 5026 CG, Tilburg, The Netherlands
• Security Contact: security@sainer.nl

We take the security of your data seriously. This document explains the security measures we have in place to protect your information and how we handle security-related matters.

2. Single Sign-On (SSO) Security

If you use Microsoft or Google to sign in to Sainer, here's what you should know:

Our apps are verified

Both our Microsoft and Google SSO applications have been verified by Microsoft and Google respectively. This means they have reviewed our application and approved it for use with their sign-in services.

We only request what we need

When you sign in with Microsoft or Google, we only request access to:

• Your email address
• Your name
• Your profile picture (optional)

We do not request access to your emails, files, calendar, contacts, or any other data in your Microsoft or Google account.

Your access is not permanent

• Tokens expire automatically: The access we receive expires and needs to be refreshed
• You can revoke access anytime: You can disconnect Sainer from your Microsoft or Google account at any time through your account security settings
• We use secure protocols: We use OAuth 2.0 with PKCE (Proof Key for Code Exchange) for enhanced security

How to revoke access

• Microsoft: Go to account.microsoft.com → Security → App permissions
• Google: Go to myaccount.google.com → Security → Third-party apps with account access

3. Infrastructure Security

Where your data lives

All our infrastructure runs on Google Cloud Platform in the EU:

• Primary region: europe-west4 (Netherlands)
• Backup region: europe-west1 (Belgium)

Your data never leaves the European Union.

Network security

• Private networks: Our databases and internal services are not accessible from the public internet
• Encrypted connections: All data in transit uses TLS encryption (the padlock you see in your browser)
• Firewall protection: We use strict firewall rules to control what traffic can reach our systems
• DDoS protection: Google Cloud's built-in protection against denial-of-service attacks

Database security

• Private access only: Our databases can only be accessed through private network connections
• Encryption at rest: All stored data is encrypted
• Regular backups: Automated daily backups with point-in-time recovery

Secret management

• Passwords, API keys, and other secrets are stored in Google Secret Manager
• Access to secrets is strictly limited and logged

4. Application Security

Authentication

• Secure password storage: Passwords are hashed using industry-standard algorithms (we cannot see your password)
• Session management: Sessions expire automatically after inactivity
• Token refresh: Access tokens are short-lived and automatically refreshed

Authorization

• Role-based access: Users can only access data they're authorized to see
• Tenant isolation: Your data is completely separated from other customers' data
• Principle of least privilege: Each part of our system only has access to what it needs

Input validation

• All user input is validated before processing
• We use schema validation to prevent malformed data from entering our systems

Webhook security

• External webhooks are verified using HMAC-SHA256 signatures
• We validate the origin of all incoming requests

5. Data Protection

GDPR compliance

We are fully committed to GDPR compliance. This means:

• You have the right to access, correct, and delete your data
• You can export your data at any time
• We only process data for legitimate purposes
• We have Data Processing Agreements with all our subprocessors

Data Processing Agreement (DPA)

If you need a DPA for your records, please contact us at privacy@sainer.nl and we'll provide one.

Data retention

• Call recordings and transcriptions: Retained according to your settings (default 90 days)
• Account data: Retained while your account is active, deleted within 30 days of account closure
• Logs: Security and audit logs retained for 12 months

Your control over data

• Export: You can export your data from the dashboard
• Deletion: You can request deletion of your data at any time
• Retention settings: You can configure how long we keep call recordings

6. Access Control & Audit

How we manage access internally

• Principle of least privilege: Our team members only have access to what they need for their role
• Service accounts: Automated systems use dedicated accounts with minimal permissions
• Regular reviews: We periodically review who has access to what

Audit logging

• All data access is logged
• Administrative actions are tracked
• Logs are retained for security analysis and compliance

Your audit capabilities

• View login history in your account settings
• See which team members have accessed what
• Access logs available upon request for enterprise customers

7. Incident Response & Breach Notification

Our commitment

If we discover a security incident that affects your data, we will:

1. Investigate immediately: Our team will assess the scope and impact
2. Contain the incident: Take steps to prevent further unauthorized access
3. Notify you promptly: If required under GDPR, we will notify you within 72 hours
4. Report to authorities: Notify the Dutch Data Protection Authority (AP) when required
5. Provide details: Explain what happened, what data was affected, and what we're doing about it

How to report a security concern

If you discover a potential security issue, please contact us immediately:

• Email: security@sainer.nl
• Response time: We aim to acknowledge reports within 24 hours

We appreciate responsible disclosure and will work with you to address any legitimate security concerns.

8. Subprocessors

We work with trusted partners to provide our service. All partners:

• Are bound by Data Processing Agreements
• Process data in the EU or under appropriate safeguards
• Meet our security requirements

Partner	Purpose	Location
Google Cloud	Infrastructure and AI processing	EU (Netherlands, Belgium)
Mollie	Payment processing	Netherlands
Mailgun	Email delivery	EU
Sinch	SMS and WhatsApp notifications	EU

A complete list of subprocessors is available upon request.

9. Security Testing & Monitoring

What we do

• Vulnerability scanning: Regular automated scans of our infrastructure
• Dependency monitoring: We track and update third-party libraries to address known vulnerabilities
• Infrastructure monitoring: 24/7 monitoring for unusual activity
• Log analysis: Automated alerting for suspicious patterns

Certifications and compliance

• Google Cloud Platform is certified for ISO 27001, SOC 2, and other standards
• We follow security best practices aligned with industry standards

10. What You Can Do

Protect your account

• Use a strong, unique password or SSO
• Enable two-factor authentication when available
• Review your team members' access regularly
• Log out of shared devices

Stay informed

• Keep your contact information up to date so we can reach you if needed
• Review this security overview periodically for updates

Contact us

If you have questions about our security practices or need additional documentation for your security review, please contact us:

• Security questions: security@sainer.nl
• Privacy questions: privacy@sainer.nl
• General support: support@sainer.nl

11. Updates to This Document

We may update this security overview as our practices evolve. When we make significant changes, we will note the update date at the top of this document.

---

This document is provided for informational purposes. For contractual security commitments, please refer to your service agreement or contact us for a custom security addendum.