About

Security Policy

Last updated: 2026-04-06

1. Security Approach

OÜ Digitechnology is designed around zero-knowledge-style handling of financial data. Sensitive budget data is encrypted in the browser before storage so the service does not depend on routine staff access to readable financial records.

2. Encryption and Authentication
  • Financial data is encrypted client-side before it is stored on the server.
  • Transport is protected with HTTPS and TLS.
  • Passwords are stored as hashes rather than plain text passwords.
  • Sessions use secure, HttpOnly cookies and server-side validation.
  • Recovery codes are generated client-side and should be stored by the user offline.
3. Application Controls
  • Input validation on both client and server boundaries
  • Rate limiting on sensitive authentication flows
  • Least-privilege access to production systems and secrets
  • Dependency updates and routine maintenance of the stack
  • Backup and recovery procedures for production deployments
4. Infrastructure Expectations

Our recommended production setup uses a hardened Ubuntu server, Nginx, TLS certificates, restricted SSH access, and process supervision for zero-downtime deployments. The deployment documentation in this repository reflects that baseline.

5. Incident Response

When a security incident is suspected, we aim to:

  • Detect and contain the issue quickly.
  • Assess affected systems and data.
  • Patch or isolate the root cause.
  • Notify affected users and authorities when the law requires it.
  • Review the incident and improve our controls.
6. Reporting Security Issues

If you discover a security issue, email [email protected] and include "Security report" in the subject line.

  • Share enough detail for us to reproduce the issue.
  • Do not access, modify, or delete other users' data.
  • Do not perform destructive load or denial-of-service tests.
  • Give us reasonable time to investigate and respond.
7. Your Responsibilities
  • Use a strong, unique password.
  • Store your recovery code securely offline.
  • Keep your browser and device updated.
  • Be careful with phishing and shared computers.
  • Tell us quickly if you suspect account compromise.
8. Related Information

For more detail on retention, rights, and data handling, see the {privacyLink} and {dataProtectionLink} page.