Security
Security and data handling, without enterprise theatre.
Rostora is early-stage, so this page separates what is already implemented from what has not been audited or shipped yet. It is designed to help a small team decide whether the product is safe enough to trial before inviting everyone.
Account protection
- Passwords are stored as bcrypt hashes; card numbers are handled by Stripe, not stored by Rostora.
- Sessions use the rostora-session cookie, which is strictly necessary for sign-in and not used for advertising.
- Password reset, activation, and pending-signup tokens are one-way hashed before storage.
- Role changes, password resets, and logout-all actions invalidate older sessions.
Data handling
- Core schedule data is hosted in Neon eu-central-1, Frankfurt, Germany.
- The application runs on Vercel; Vercel Analytics and Speed Insights are cookieless and aggregate.
- Slack and Google subprocessors are engaged only when a workspace or user connects those integrations.
- A GDPR Article 28 Data Processing Agreement is available on request for customers who require one.
Retention and exit
- Admins can export schedule rows to CSV from the product.
- Admins can delete a workspace from the admin panel.
- Deleted workspace primary records are removed within 24 hours; Neon backups rotate out within 30 days.
- Billing records are retained for up to 10 years as required by Belgian accounting law.
Current limits
- No public third-party security audit or SOC 2 report is published yet.
- SSO and SCIM are not shipped yet.
- Workspace-level Google shared calendars are not supported yet; each user connects their own calendar.
- Product support goes to support@rostora.com; security, legal, and DPA questions go to info@rostora.com.
Need procurement detail?
Start with the privacy policy for subprocessors, retention, cookies, and GDPR rights. Email Q10 Labs for DPA or security questions before inviting a larger team.