Skip to main content
UniDeck
Start for Free

Security

How UniDeck protects your data.

Security is a continuous program, not a checkbox. This page explains what we do today, what we are working on, and how to reach us.

Data protection

UniDeck only reads the data each integration needs to render the widgets you place on a dashboard. Scopes are granted per integration through OAuth and can be revoked at any time. Customer data is isolated per workspace at the application and database layers.

Encryption

  • In transit: TLS 1.2 or higher on every connection, with HSTS and the modern cipher suite enforced at the edge.
  • At rest: AES-256 for stored data and OAuth refresh tokens, with envelope encryption and key rotation handled by the cloud provider.

Authentication and access

Workspace members sign in with email plus password or with Google Workspace SSO. Two-factor authentication can be enforced workspace wide. Roles are scoped per workspace: admin, editor, and viewer. Dashboards can be shared by tokenized link with optional expiry.

Infrastructure

UniDeck runs on managed infrastructure inside the European Union. The static marketing site is delivered through a global CDN. The application stack uses managed Postgres for primary storage, with point-in-time recovery enabled.

Monitoring and incident response

Service health, error rates, and authentication anomalies are monitored continuously. Pages route to the on-call engineer through the alert pipeline. The public availability page lives at stats.uptimerobot.com. Critical incidents are communicated to affected workspaces within one hour of confirmation.

Vulnerability disclosure

We welcome reports from independent researchers. Email [email protected] or follow the policy file at /.well-known/security.txt. We commit to acknowledging valid reports within two business days and to providing a fix or mitigation timeline within ten business days. We do not yet operate a paid bug bounty; recognition is given in our security advisories with researcher consent.

Audits and certifications

UniDeck does not currently hold SOC 2 or ISO 27001. SOC 2 Type I is in scope for 2026. We are happy to share our current security questionnaire on request via [email protected].

Frequent questions

  • Where is my data stored?

    UniDeck application services and customer data run inside the European Union. The static marketing site is delivered via a global CDN with EU edge presence. Specific subprocessor regions are listed at /trust/subprocessors when that page ships.

  • Do you have SOC 2 or ISO 27001?

    Not yet. SOC 2 Type I is on the 2026 security roadmap. We can share our current security questionnaire on request via [email protected].

  • How do I report a vulnerability?

    Email [email protected], or follow the policy file at /.well-known/security.txt. We aim to acknowledge within two business days and to provide a fix or mitigation timeline within ten business days.

  • Does UniDeck write to my connected tools?

    No. Every first-class integration in UniDeck is read-only. We never push commits, change issue states, send messages, or modify configuration in your connected tools.

  • How does UniDeck handle OAuth tokens?

    Tokens are encrypted at rest with envelope encryption, scoped per workspace, and refreshed on the schedule each provider mandates. Tokens are never exposed to client-side code.