Security and trust

Werk24 offers EU and US endpoints .

• EU: frankfurt (EU-Central-1) with Georedundant backups in Stockholm (EU-north-1)
• USA: N.Virginia (US-Eeatt-1) with GeoRedundant backups in N. California (US-West-1) .

The processing takes place in the region of the endpoints ;We do not replicate content across region.

Yes. You can route individual or all workloads on our US endpoint. These inquiries are processed and saved in the USA.

There is no automatic replication between the EU and the USA;The data residence is determined by the end point you have chosen.

Werk24 processes as few personal data as possible. If the title blocks follow a standard format, we blacken the release area very early in the processing chain.

in the idle state: AWS KMS with a CMK per client (SSE-KMS for connected customers; test data via SSE-S3). Key is rotated annually.

When transmission: tls   1.2+ (TLS   1.3 preferred) via ACM-managed certificates;MTLs for particularly sensitive internal services. Enterprise tariffs support end-to-end encryption with volatile keys.

The access-privilege principle follows: service-specific IAM rolls, separate accounts and MFA/Yubikey for administrators. Root access is severely restricted and requires approval by the CEO;Access data and keys are kept in the bank locking compartment.

segmented VPCs with public sub -networks for frontends and purely private subnettes for worker/inference. Security Groups limit service ports;Use sensitive services VPC endpoints (no run through the public internet). Public APIs are behind API Gateway/Alb with Waf.

centralized logs (Cloudwatch, Cloudtrail) are unchangeable and versioned in S3 at least 12 months. Sentry delivers telemetry at the application level. Guardduty and Cloudwatch Alerts enable real-time anomali detection and standby alert.

weekly patch cycles (host amis, basic images, python dependencies);Ci forced the description of the desk/snyk/trunk tests;AWS ECR scans images at the push. High -critical topics are triached within 24 hours and remedied within 72 hours (exceptions are documented).

daily backups with point-in-time recovery for critical databases;Backups are located in Frankfurt/Stockholm (EU) or the corresponding US regions. rpo 24 h , rto 4 h ;Complete restoration of the environment is practiced and is currently verified after a total failure in ~ 12 h.

Yes. For customers with strict residence or insulation requirements, we provide a dedicated environment in the desired region-with separate KMS keys and client-specific iam boundaries.

We provide our detailed "configuration & security concept" (versioned) on request- including architectural diagrams, process descriptions and test results for emergency recovery.