Iteration Layer
Products
Blog
Docs
Recipes
All Recipes E-Commerce Education Finance & Accounting Healthcare Human Resources Legal Logistics & Shipping Manufacturing Marketing Publishing Real Estate Technology
Pricing
Login Get Started

Security

Iteration Layer is built with security and privacy as core priorities. Here's how we protect your data.

Infrastructure

All infrastructure runs on Hetzner Cloud in Nuremberg, Germany. Your data never leaves the EU for processing. Containers are orchestrated with automated health checks and automatic restarts on failure.

Our application runs in a multi-stage Docker container as a non-root user with minimal runtime dependencies. Base images are pinned to specific versions and monitored for vulnerabilities via automated scanning.

Uptime is monitored from three regions (US, Netherlands, Germany). Current status is available at iterationlayer.openstatus.dev .

Network security

All traffic is encrypted in transit with TLS via automatic Let's Encrypt certificates. HTTPS is enforced on all endpoints — plain HTTP requests are redirected.

A cloud firewall restricts public access to HTTP and HTTPS only. SSH access is limited to administrator IPs with password authentication disabled. Brute-force protection is enabled. Administrative interfaces are IP-restricted.

Authentication

The platform uses passwordless magic link authentication with short-lived token expiry, plus Google and GitHub OAuth. No passwords are ever stored.

API authentication uses Bearer tokens. Keys are generated from cryptographically strong random data and only a one-way hash is stored — the plaintext key is shown once at creation and cannot be retrieved. Sessions use signed cookies with expiry and session fixation protection.

Data protection

File processing is fully transient — files are loaded into memory, processed, and immediately discarded. We do not persist uploaded files to disk or cloud storage. Maximum upload size is 50 MB.

API keys are stored as one-way hashes only. OAuth tokens are marked as redacted in our data layer. Authentication tokens are hashed before storage.

Usage records are automatically deleted after 90 days in compliance with our data retention policy.

Application security

CSRF protection is enabled on all browser endpoints. Content Security Policy headers are configured per application with restricted source directives. Standard security headers are set on all responses.

API rate limiting is enforced at 100 requests per minute per organization. Rate-limited responses include standard headers and a Retry-After header on 429 responses.

CORS is restricted to Iteration Layer subdomains in production. Input validation uses schema-level changesets with database-level constraints. MIME types are verified via magic byte detection.

Security tooling

Every commit runs through automated security checks enforced by pre-commit hooks. These include static application security testing (SAST) for common vulnerabilities (SQL injection, XSS, CSRF, hardcoded secrets), strict code quality analysis, compiler warnings-as-errors, and dependency vulnerability audits.

All checks run in parallel and are blocking — code cannot be committed without passing every check. The CI/CD pipeline runs the same checks before building and deploying. Docker images are scanned for vulnerabilities. Dependencies are monitored for updates automatically.

Incident response

In the event of a security incident, affected customers are notified within 48 hours as specified in our Data Processing Agreement. Health check monitoring with automatic container restarts ensures minimal downtime.

Data privacy and compliance

Iteration Layer is GDPR-compliant. The data controller is based in Spain (Las Palmas de Gran Canaria) under the jurisdiction of the Spanish Data Protection Agency (AEPD). A full Data Processing Agreement is available for all customers.

We use self-hosted privacy-focused analytics — no data leaves our infrastructure for analytics purposes. We do not use tracking cookies, only essential session and CSRF cookies. We do not sell customer data to third parties.

All sub-processors are EU/EEA-based except Google Vertex AI (processed in the Netherlands under the EU-US Data Privacy Framework) and Paddle (UK, under the adequacy decision). A complete list is published in our privacy policy .

Usage records are retained for 90 days and automatically purged. Account data is deleted within 90 days of account termination. GDPR rights (access, rectification, erasure, portability) are fulfilled within 30 days.

Responsible disclosure

If you discover a security vulnerability, please report it to security@iterationlayer.com . We commit to acknowledging reports within 48 hours and providing a resolution timeline within 5 business days.