Trust center
Show your work.
What we run, who processes data on our behalf, and how we prove this site is what we claim it is.
Mozilla Observatory: A+SSL Labs: A+securityheaders.com: A+Lighthouse ≥ 95WCAG 2.2 AA
Sub-processors
| Vendor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Cloudflare | DNS, edge TLS, DDoS protection, WAF | Global, with EU/US presence | SCCs in place |
| Hetzner | Primary application hosting | Falkenstein, Germany (EU) | GDPR — no transfer |
| Listmonk (self-hosted) | Newsletter delivery | EU | GDPR — no transfer |
| Plausible (self-hosted) | Cookieless analytics | EU | GDPR — no transfer |
| Backblaze B2 | Encrypted off-site backups | EU region | SCCs in place |
Audit & assurance
- External pentest: scheduled annually; latest summary published here.
- Dependency audit: weekly via Dependabot + Renovate.
- CodeQL: every pull request.
- SBOM (CycloneDX): published per release at
/trust/sbom.json. - Backup restore test: quarterly.
Incident history
No material incidents to date. Post-mortems for any material incident will be published within 30 days on our writing feed.