Trust Center
How we handle your data.
Reporting API App is operated by BauCloud GmbH from Munich, Germany, with all production hosting in Falkenstein. This page summarises where your data lives, the legal artefacts available for procurement and audit, and how we secure the service.
At a glance
Four facts that procurement reviewers usually want first.
- BauCloud GmbH, Munich
- Since 2013
- Hosting on Hetzner, Falkenstein
- EU-only
- Report retention by default
- 30 days
- US cloud, cookies, trackers
- 0
For procurement
Documents & policies
Everything you need for vendor reviews and your own GDPR obligations.
Data Processing Agreement (DPA)
ENPursuant to Art. 28 GDPR. Available for all customers.
Technical & Organizational Measures
DETOM under Art. 32 GDPR.
Sub-processors
DEComplete, public list of all third parties involved.
Privacy Policy
ENWhat we collect, why, and for how long.
Terms of Service
ENGeneral Terms (Bitkom AGB) and product-specific terms.
Imprint
ENCompany details, register, and contact.
Infrastructure
Where your data lives
Application servers, databases, and backups. No surprises.
Hetzner, Falkenstein DE
Application servers, databases, and report storage run on Hetzner Online GmbH infrastructure in Falkenstein, Germany. Hetzner is ISO 27001 certified.
No US hyperscalers
We do not use AWS, Google Cloud, or Azure for application hosting or data storage. The complete sub-processor list is public.
PostgreSQL in the EU
Primary data, cache (Solid Cache), and job queue (Solid Queue) all run on PostgreSQL inside the EU. No external database-as-a-service.
30-day retention
Browser reports are automatically purged after 30 days. We collect technical error metadata only — no personal data, no cookies, no tracking.
Application security
Security practices
How we keep the service hardened, day to day.
- TLS for all traffic
- All HTTP traffic, including report ingestion, is served over TLS.
- Application-level encryption
- API keys, webhook auth headers, and other secrets are encrypted via ActiveRecord Encryption.
- Strict tenant isolation
- Every database query is scoped to the calling organisation. Cross-tenant access is impossible by design.
- Bcrypt password hashing
- Passwords are stored as bcrypt hashes. Sessions are device-tracked and individually revocable.
- Open standards, no lock-in
- Built on the public W3C Reporting API spec. No proprietary protocols.
- Automated dependency updates
- Daily Dependabot scans and a Brakeman security scan in CI for every change.
Honesty first
Compliance posture
We do not currently hold SOC 2, ISO 27001, or PCI DSS certifications. We do not pretend otherwise. What we do offer:
GDPR compliance
We operate under EU and German data-protection law. We provide a Data Processing Agreement under Art. 28 GDPR, documented Technical and Organizational Measures under Art. 32 GDPR, and a public sub-processor list.
Helps with NIS2 Art. 21
For organisations covered by NIS2 (Directive (EU) 2022/2555), browser violation reports support the risk-management measures required by Art. 21. See the compliance solutions page for details.
PCI DSS 4.0 evidence
CSP violation and SRI reports help PCI DSS 4.0 covered organisations meet requirements 6.4.3 and 11.6.1 for monitoring scripts on payment pages.
Audit-ready reporting
Every browser report is timestamped, structured, and routed to your existing observability stack so it sits alongside the rest of your audit evidence.
The company
About BauCloud
Who is on the other side of the contract.
Reporting API App is built and operated by BauCloud GmbH, a German limited company headquartered in Munich and active since August 2013. The company is owner-operated by Tobias Maier, who is also the registered managing director.
We are deliberately small. That means we are not a SOC 2 enterprise, but it also means there is no opaque corporate structure between you and the people running the service. You always know who you are talking to, and you always know which legal jurisdiction applies.
- Legal entity
- BauCloud GmbH
- Registered office
- Jörg-Hube-Straße 99
81927 München, Deutschland - Commercial register
- HRB 206718, Amtsgericht München
- Managing director
- Tobias Maier
- VAT ID
- DE290479250
Questions about security or compliance?
Need a signed DPA, a vendor questionnaire filled in, or a question answered? Email and you'll reach the team operating the service.