Skip to main content
Ready to deploy? Start Free Trial
Trust

Trust & Security

How CloudWady protects your data, your customers, and your operational control.

Data residency

Your Odoo instance and backups stay in the cloud region you choose. BYOC by design.

Encryption

TLS 1.2+ end-to-end in transit. Backups encrypted at rest with per-tenant keys.

Audit log

Every deploy, backup, restore and permission change is recorded against the user that triggered it.

GDPR Article 28

DPA available on request. Sub-processor list published. Exercise your rights →

Data residency — your region, your control

CloudWady is a Bring-Your-Own-Cloud platform. Customer Odoo instances, filestores, and backups are provisioned on infrastructure you own at your chosen cloud provider — Hetzner (Germany / Finland), DigitalOcean, AWS, or any other supported provider. CloudWady's control plane never copies your database off the region you've chosen.

For EU partners and their end-customers, the practical consequence is that no Schrems II transfer assessment is required when the workload runs entirely on EU infrastructure: data, backups, and logs all stay inside the EU / EEA. You can verify this from the deployment's server record in the dashboard — the region is visible per app.

The control plane itself (the orchestration layer that runs deploy / backup / restore workflows) is hosted in Germany. Operational metadata (workflow status, audit entries, billing) is kept in the control plane region. Customer business data is never duplicated there.

Encryption in transit

All public endpoints serve TLS 1.2 or higher. HSTS is enabled with a one-year max-age on production hosts. Internal traffic between the CloudWady control plane and customer infrastructure runs over SSH key authentication only — no password fallback.

Webhooks accepted from GitHub and GitLab are verified with HMAC-SHA256 signatures using constant-time comparison. Unknown or unsigned sources are rejected at the controller.

Encryption at rest

Backups stored on object storage (S3 / R2 / Hetzner Storage Box) use server-side encryption with per-tenant keys. The control-plane database is encrypted on the host volume.

Credentials we hold on your behalf (registry tokens, cloud-provider API keys, SSH private keys) are masked for non-operator users and never written to logs. Sensitive payloads are sanitized before they reach the audit trail.

Operational audit log

Every action that mutates state — deploy, update, backup, restore, permission change, secret rotation — is recorded against the user that triggered it, with a timestamp and the originating IP. Workflow runs and their per-step outputs are persisted for at least 90 days; longer retention is configurable per partner.

For partner admins, the dashboard shows the deployment history per app. For platform-level events, the operator can export the audit log on request as part of an Article 28 GDPR cooperation.

Sub-processors

Because CloudWady is BYOC, the cloud provider hosting your data is determined by your deployment, not by us. For the control plane itself, CloudWady currently engages a small set of sub-processors (DNS / CDN, mail delivery, error tracking). The full list — with each party's role, region, DPA link, and the data category they touch — is maintained as a live registry.

View sub-processor registry Request notification of changes

GDPR — Article 28 & DPA

CloudWady operates as a processor for customer business data per Article 28 GDPR. A Data Processing Agreement (DPA) is available on request and signing the standard DPA is a precondition for production use.

Data-subject requests (access, rectification, erasure, restriction, portability, objection) can be filed by your end-customers through the self-service portal below; we forward, ack within 72h, and complete within the statutory 30-day window.

Open GDPR rights portal Request DPA

Incident response

Confirmed personal-data breaches affecting partner workloads are notified to the partner without undue delay and, where the breach is reportable, within the 72-hour window required by Article 33 GDPR. Notification includes the scope, the data categories involved, the measures taken, and the contact for follow-up.

Security issues, including suspected vulnerabilities, can be reported to security@cloudwady.com. Responsible disclosure is welcomed and acknowledged.

What we don't claim (yet)

We don't pretend to certifications we don't hold. CloudWady is not currently SOC 2 or ISO 27001 certified. What we offer instead is operational transparency: audit logs, a documented incident process, a published sub-processor registry, and a control plane whose permission system is documented (five tiers, per-company matrix, with cross-tenant isolation enforced server-side).

For partners who require formal certification, we are happy to discuss the timeline that would justify pursuing it. For partners for whom BYOC + documented controls are sufficient, this page describes what's already in place today.

Contact