Last updated: 01-10-2025

Security Policy

1. Introduction

Thank u for using Databeamer by Full Join! We value your trust in our software. In return, we ask you to use our services responsibly.

1.1 Purpose

This Security Policy outlines outlines how we approach security across our Databeamer platform, infrastructure and development processes. It also provides clear guidance for external parties wishing to report potential vulnerabilities.

1.2 Our commitment to security

We are committed to protecting the confidentiality, integrity, and availability of our systems and the data entrusted to us by our users. We follow best practices in software development, infrastructure hardening, encryption and access management, appropriate to our size and risk profile.

1.3 Scope

This policy applies to:

The Databeamer web application and any (future) related mobile/desktop apps;
All software and services under the domain(s) databeamer.io and databeamer.eu;
Our API endpoints and hosted infrastructure.

Our comprehensive policy for safeguarding customer data and privacy, including in relation to supporting services outside the Databeamer platform (such as ticketing tools), is detailed in our Data Processing Agreement.

1.4 Data Hosting & Sovereignty

We are committed to full European data residency and jurisdictional independence.

Our services are exclusively offered to customers located in the EU, UK, Norway, and Switzerland.
We do not rely on U.S.-based infrastructure, tools, or platforms for core operations;
All data (including authentication information, user account data, metadata, and transferred content) is hosted entirely within the EU by a European-owned cloud provider;
As a result, customer data remains fully governed by European data protection laws and cannot be subject to foreign legislation such as the U.S. CLOUD Act.

By maintaining this level of European control, we ensure that personal data and transferred files remain within protected jurisdictions, reinforcing our commitment to data privacy, regulatory compliance, and digital sovereignty.

2. Technical security practices

Our Databeamer service is designed with security and privacy at its core. By integrating technical safeguards at every level of our architecture, we ensure that data remains confidential, intact and available, both at rest and in transit. These measures form the foundation of our technical security strategy. Together with organizational safeguards and our incident response process, they ensure that customer data is protected against both internal and external threats.

2.1 End-to-end encryption (E2EE)

All data traffic between sender and recipient is protected with end-to-end encryption. This ensures that files and messages are encrypted from the moment they are sent and can only be decrypted by the intended recipients. As a result, our organization and development team do not have access to any unencrypted customer data, guaranteeing maximum privacy and security.

AEAD streaming encryption

During transmission and storage, we use advanced AEAD streaming encryption (Authenticated Encryption with Associated Data), which ensures both confidentiality and integrity.

Streaming cypher

We rely on modern Cryptographic techniques such as ChaCha20-Poly1305 in combination with HKDF-SHA256 for key derivation. This streaming cipher technology allows us to efficiently and securely encrypt and process arbitrarily large files without size limitations.

Multi-recipient

Databeamer also supports multiple recipient encryption, enabling one file to be securely shared with multiple recipients without creating separate encrypted copies for each.

Data Integrity with Checksum Validation

Data Integrity with checksum validation To ensure the integrity of files and messages during transfer Databeamer uses checksum validation. A cryptographic hash is generated on the sender’s side and verified on the recipient’s side, confirming that the file or message has not been altered, corrupted, or tampered with during transit. This mechanism complements our end-to-end encryption (E2EE) by not only securing the contents from unauthorized access but also ensuring the content received is exactly what was sent. This validation is performed automatically and transparently, requiring no user interaction.

2.2 Authentication and authorization

We enforce strict identity and access management measures to ensure that only authorized users can access our systems and services. All access is governed by the principles of least privilege and need-to-know, helping to reduce the risk of data exposure and account compromise.

Mandatory Multi-Factor Authentication (MFA)

MFA is enforced for all Databeamer accounts to strengthen login security.

Role-Based Access Control (RBAC)

Access to data and system functionalities is governed by predefined roles, ensuring users can only access what is necessary for their responsibilities.

Authentication monitoring

Login attempts are logged and monitored for anomalies such as brute-force attacks, repeated failed attempts, or access from suspicious IP addresses or geolocations.

Timely access revocation

Access is revoked immediately upon termination or plan change, and access rights are reviewed regularly.

2.3 Logging and Monitoring

Continuous monitoring and secure logging are vital components of our operational security. These practices help us detect abnormal behavior, respond to incidents quickly, and ensure accountability across our systems.

Centralized logging

All significant system events and user actions are securely logged in a tamper-resistant, centralized system.

Retention and integrity

Logs are protected from modification and retained for the duration defined in our internal policies and legal obligations.

Real-time monitoring and alerting

We use automated systems to detect suspicious activity and raise alerts, enabling swift incident response.

Incident response readiness

All security incidents are handled according to a documented Incident Response Plan, and partly outlined in our [Data Processing Agreement (DPA)].

2.4 Application security

We follow secure development practices to proactively minimize vulnerabilities and ensure the robustness of our platform. Our approach is grounded in the principles of the Secure Software Development Lifecycle (SSDLC).

Automated security scans

Source code is regularly scanned using Static and Dynamic Application Security Testing (SAST/DAST) tools.

Peer code reviews

All changes are reviewed with a focus on identifying and mitigating OWASP Top 10 risks.

Regular penetration testing

Security assessments are regularly conducted to validate our defenses against real-world threats.

Input validation and sanitization

All user-provided data is validated and sanitized to protect against injection attacks such as XSS or SQL injection.

Vulnerability management

Dependencies and libraries are kept up to date, and security patches are applied promptly as part of our regular update cycle.

These controls are designed to ensure our codebase remains resilient against both common and emerging threats.

2.5 Network security

We implement robust network-level protections to defend our infrastructure and maintain the confidentiality and availability of customer data. This layer complements our infrastructure security controls (see §3.4) and focuses on isolating environments, restricting access, and protecting against external threats.

Environment segregation

Production systems are logically separated from development and testing environments to prevent accidental crossover or data leakage.

Secure access protocols

All infrastructure access is restricted through VPN and SSH connections secured by key-based authentication.

Firewall protections

Firewalls, Web Application Firewalls (WAF), and additional network filters are used to block unauthorized access and detect malicious traffic.

Abuse prevention

We enforce rate limiting, monitor for unusual patterns, and implement DDoS mitigation strategies to ensure service continuity and performance.

2.6 Data minimization and redaction

Due to the end-to-end encrypted (E2EE) nature of the Service, we do not have access to the content of files or messages transferred between users. This means we cannot read, monitor, modify, or retain the decrypted contents of any personal data exchanged through the platform.

In addition to the encrypted customer content, we only collect the minimal data required to operate and support the Service. This includes:

Transfer metadata such as timestamps and file sizes, which are necessary for core functionality, diagnostics, and support, as outlined in our Terms of Service;
Automatic redaction and anonymization, built into the file transfer logic, to strip or mask sensitive values (e.g., account details, API tokens, or passwords) from any service-level logs or analytics;
Session Replay (optional and used only for troubleshooting), where sensitive input fields are automatically masked to protect personal or confidential information during session recording.

These measures ensure that only the strictly necessary data is processed, and that personal or sensitive information is never exposed unnecessarily, in line with data minimization principles under the GDPR.

2.7 Backup and recovery

We have implemented backup and recovery practices to safeguard critical service data and maintain service continuity. Due to the end-to-end encryption (E2EE) nature of our platform, transferred content (files and messages) is never included in backups.

Service infrastructure and operational data (excluding transferred user content) are backed up daily;
Backups are encrypted and stored in a geographically separated, secure location within the EU;
Recovery procedures are tested regularly through documented disaster recovery exercises;
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined in line with the platform’s risk profile.

Note: Transferred customer content is not recoverable after deletion or expiry, by design.

2.8 Retention and deletion

The following retention and deletion practices apply to the use of the Databeamer Services:

Transferred files and messages are retained for a maximum of three (3) days from the time of upload. After this period, the content is automatically and permanently deleted. Only minimal metadata related to the transfer (such as timestamps and file size) may be retained for operational, support, and compliance purposes;
Other service-related data (as described in §3.6 Data Minimization and Redaction) is retained only as long as necessary to fulfill business, contractual, or legal obligations;
When retention periods expire, data is irreversibly deleted from our systems using industry-standard deletion methods; End-to-end encryption (E2EE) ensures that we never store or access decrypted content. As such, once transferred files or messages are deleted or expired, they cannot be recovered or returned;
For any non-encrypted data collected in connection with account usage or metadata, customers may request deletion in accordance with applicable data protection laws.

Please refer to our Data Processing Agreement (DPA) for further guidance.

2.9 Audit and compliance

We regularly evaluate the effectiveness of our security controls and compliance posture through internal and, where relevant, external assessments.

Internal audits are conducted to verify adherence to this Security Policy and related controls;
Logs of relevant system and user actions are retained to support auditability and accountability (see also §3.3 Logging and Monitoring);
Where required, independent audits or third-party assessments (e.g., ISO 27001, SOC 2) may be carried out to validate our practices;
Upon request, and where necessary, we may provide supporting technical documentation to assist with customer audit obligations (see also DPA chapter 8 Right to Audit);
Compliance with applicable regulations and security standards is monitored continuously.

3. Organisational security practices

Information security is not treated as a standalone responsibility within our company, but as an integral part of how we operate. Both at a strategic and operational level, we have clear roles, responsibilities, and processes in place to safeguard the security of our platform and the data entrusted to us by our customers.

3.1 Security responsibility

Ultimate responsibility for information security lies with the management. Day-to-day coordination and oversight of security measures is handled by our designated Security Officer, who works closely with all team members to embed security practices throughout our organisation and within the Databeamer application.

3.2 Policies and governance

We maintain a formal internal Information Security Policy, which is reviewed and updated periodically. All employees are required to accept and adhere to this policy as part of their onboarding process.

3.3 Employee Awareness

We invest in ongoing security awareness and training. New employees receive onboarding training covering our key security principles, procedures, and behavioral expectations. In addition, we conduct periodic (at least annual) training sessions to keep knowledge up to date, covering topics such as phishing, password management, and the secure handling of sensitive data.

3.4 Access Management

Access to systems and data is granted based on the principle of least privilege and need-to-know. We implement the following controls across critical systems, including both our Databeamer platform and tools used to support our service operations (such as billing or analytics):

Multi-Factor Authentication (MFA) on all critical systems;
Role-Based Access Control (RBAC) to limit access to specific data and functions;
Regular reviews of employees access rights and permissions.
Former employees’ access is revoked immediately upon termination.

3.5 Subprocessors and partners

We take a risk-based approach to working with third-party service providers and partners. Subprocessors are selected based on their security posture, and where applicable, we use Data Processing Agreements (DPAs) and conduct security assessments to ensure compliance with our standards.

Third parties that have access to customer data are subject to vetting and ongoing evaluation to ensure adherence to appropriate security and privacy practices. Wherever possible, subprocessors are selected based on their European presence and ownership structure. Preference is given to providers that are headquartered in Europe and have no non-European parent companies or investors, to ensure better alignment with EU data protection principles and sovereignty.

A current list of authorized subprocessors is available upon request. More information about subprocessors and maintaining privacy is described in our Data Processing Agreement (DPA).

4. Reporting a vulnerability At Full Join, we take the security of our

Databeamer platform and our users seriously. Despite the care we take to secure our systems, vulnerabilities can still occur. That’s why we welcome reports from security researchers, ethical hackers, and others who discover potential weaknesses in our applications or infrastructure.

This section outlines how you can responsibly report a security vulnerability, what you can expect from our team in response, the principles of responsible disclosure we follow, and which types of findings fall outside the scope of our policy.See also our Acceptable Use Policy.

By working together, we can improve the safety and reliability of our platform for everyone.

4.1 How to report

We value the contributions of the security community. If you believe you’ve discovered a vulnerability in our systems:

Please email us at: security@databeamer.io or preferably;
Please use our PGP key for sensitive security reports;
Include as much detail as possible (e.g., steps to reproduce, tools used, screenshots);
Do not exploit the vulnerability or access user data;
Allow us a reasonable time to investigate and respond before disclosing publicly.

4.2. What to expect from us

If you submit a valid vulnerability report, we will:

Acknowledge receipt within 5 business days;
Provide a status update within 10 business days;
Work to remediate the issue as quickly as possible;
Not pursue any legal actions or loss of access if you follow the rules;
Credit you publicly, if desired (and permitted).

4.3 Responsible disclosure guidelines

We kindly ask that you:

Avoid any actions that could cause harm (e.g., data destruction, denial of service, brute-force attacks);
Do not access or modify data that isn’t your own;
Cooperate with our team as much as possible;
Give us time to fix the issue before you share it publicly.

4.4 Exclusions

While we appreciate all efforts to help improve the security of our Databeamer service, certain types of findings fall outside the scope of our responsible disclosure program. The following issues are typically considered low-risk, accepted limitations, or do not represent meaningful security vulnerabilities. Reports focusing solely on these areas may not receive a response:

Spam reports;
Outdated browser issues;
Social engineering;
Lack of SPF/DKIM/DMARC;
Clickjacking on non-sensitive pages;
Rate-limiting bypass unless demonstrably exploitable.

5. Updates & contact

We may revise this Security Policy from time to time to reflect changes to our services, or to meet legal and regulatory requirements. We encourage you to check this page periodically to stay informed.

The “last updated” date at the top of this page shows when this policy was most recently reviewed.

About & Contact

Databeamer by Full Join

Databeamer is created and licensed by Full Join B.V. and is located in Eindhoven, The Netherlands. Full Join is a software and data development/consultancy agency. We develop applications and provide consultancy services, including advising organizations about data, privacy and development projects.

KVK: 71160620
BTW: NL 858 603 573 B01

Contact Us

For more information about this policy or other legal matters, contact us via our Contact Form