security, built EU-first.
cyrqle handles creator data, campaign records and payouts. We protect them with encryption, least-privilege access and a small set of audited, EU-first sub-processors.
Encryption everywhere
TLS 1.2+ in transit and AES-256 at rest across databases, object storage and backups.
EU-first data residency
Primary database (PlanetScale EU) and object storage (Cloudflare R2 EU) live in the EU. Transfers outside the EEA rely on EU SCCs.
Least-privilege access
Role-scoped access to production, short-lived credentials, SSO with mandatory MFA for the team, and no shared logins.
Hardened infrastructure
Managed, continuously patched platforms (Vercel, PlanetScale, Cloudflare). Secrets held in a managed store, never in code.
Monitoring & logging
Centralised audit logging and error monitoring (Sentry) with alerting on anomalous access and failures.
Privacy by design
GDPR and Spanish LOPDGDD compliant. Consent-gated analytics, data-subject tooling and a 6-year campaign retention window.
how we operate.
- Secure SDLC with peer-reviewed changes and CI checks before deploy
- Dependency and secret scanning in the pipeline
- Payments isolated to Stripe Connect — we never store full card numbers
- Documented incident-response with breach notification without undue delay
- Vendor due-diligence; every sub-processor bound by a DPA
- Regular access reviews and offboarding on the same day
Certifications
We build to SOC 2 controls and our SOC 2 Type II audit is in progress. We’re happy to share our current posture, security questionnaire and roadmap under NDA — ask your account contact or email security@cyrqle.app.
Report a vulnerability
Found something? We welcome responsible disclosure. Email security@cyrqle.app with details and steps to reproduce. We acknowledge reports within two business days and will keep you updated through remediation.