Security
Data protection and operational excellence are key pillars of the EIDP stack, because they are what allows you to keep your data secure. This document lays out how we help you achieve security for the applications you run on EIDP, at a technological and process level.
At EIDP, we integrate security by design and work for compliance and regulatory expectations set by ISO27001, SOC2, GDPR, and DORA.
European data governance & sovereignty
When you deploy your services on the EIDP stack, your application and data are completely sovereign within the European Union. This not only means that your data resides in data centres located in the European Union, but that the infrastructure is also owned and controlled by companies residing in the European Union.
As a European entity, EIDP designs and develops for compliance within European context first, notably including GDPR, DORA and CRA compliance.
Data isolation & protection
Each customer instance isolates resources at different levels in the stack, as follows:
| Resource | Isolation |
|---|---|
| Compute | All customer instances run on separate virtual machines |
| Network | Network policies and firewalling ensure that cross-instance and cross-cluster communication is impossible or limited to what is needed |
| Storage | Buckets and block devices are logically segregated |
| Backups | Backups are encrypted with customer unique keys |
Additionally, between different clusters, compute and network instances are also logically separated using virtual machines and network polices, where access to storage and backups is protected by access controls.
Shared responsibility
You run your own applications and code on the EIDP stack, which means you and EIDP have shared responsibility for the overall security of your product.
| Layer | EIDP responsibility | Customer responsibility |
|---|---|---|
| Physical / Data Centre | Selecting and monitoring data centre partners | N/A |
| Network & Perimeter | Ingress security, WAF*, DDoS mitigation* | App layer hardening |
| Control Plane | Secure SDLC, patching, policy engine | API key hygiene, RBAC config |
| Runtime / Cluster | Node hardening*, patch cadence*, CIS baseline* | App vulnerabilities, resource requests |
| Data Storage | Encryption at rest*, backup & disaster recovery | Data classification, retention choices |
| Secrets | Encryption*, rotation workflows* | Appropriate scoping & least privilege |
| Observability | Secure log pipeline, retention config | Redacting sensitive information in logs |
* These platform features are planned or in development. Please review the features page for an overview of the components in the current EIDP platform.
EIDP's security platform
The following features of EIDP's platform help secure your apps and services.
Identity & access management
EIDP permits customers to extend their own identity provider (IDP) into their EIDP instances through SAML or OIDC. Within instances, customers can choose role-based access models for accessing EIDP platform services such as logs, backups, and databases.
Supply chain security
The EIDP platform has built-in support for solving common supply chain security issues during development.
| Stage | Control |
|---|---|
| Build | Isolated build runners, dependency caching with checksum verification |
| Scan | SCA + container image vulnerability scan (policy gates) |
| Sign | Image signing + provenance attestation (SLSA level target) |
| Deploy | Policy engine validates signature + allowed base images (optional) |
Logging & audit
Apps deployed in EIDP workload clusters automatically log to a separate, append-only logging instance. These logs include application logs as well as information about deployments, role usage, and working with sensitive credentials. This data can be exported to other sources such as webhook collectors or SIEMs.
Process & policy
Compliance
The following artifacts are available to customers on request:
- GDPR Data Processing Agreement (DPA)
- Subprocessor list
- EIDP only uses subprocessors owned and operated in Europe
- Penetration test executive summaries
EIDP organises internal processes around ISO27001, SOC2, and DORA standards and hopes to demonstrate compliance to these soon.
Reporting issues
To report security issues, please contact security@eidp.com.