Boring on purpose.

Found something? Tell us.

We run a responsible disclosure programme. If you believe you’ve found a vulnerability in rVODE’s product, infrastructure, or website, please email us before publishing or sharing it.

What’s in scope: rvode.com, app.rvode.com, our API endpoints, our mobile apps, and any production infrastructure under our control.

What’s out of scope: social engineering of staff or customers, physical attacks, denial-of-service, third-party services we use (report those upstream), and findings that require already-compromised credentials.

Safe harbour: if you act in good faith, don’t exfiltrate customer data, don’t degrade service, and give us reasonable time to respond, we won’t pursue legal action against you. We don’t run a paid bounty yet — we credit researchers in our changelog with permission.

Your books stay in the EU.

Every byte of customer data — deal memos, day logs, invoices, receipts, bank confirmations, tax exports — is stored and processed inside the European Union. We don’t replicate to the US, the UK, or anywhere outside EU/EEA. Customer support, observability, and analytics tooling are EU-resident or EU-region-pinned.

• Primary regionStockholm (eu-north-1)Where your reads and writes land by default.
• Failover regionFrankfurt (eu-central-1)Used only on regional outage. Never serves cross-region traffic in normal operation.
• EgressEU-onlyNo outbound data flows to non-EU jurisdictions. Verified at the network layer.
• CDN / edgeEU-region-restrictedStatic assets served from EU edge nodes; customer data is never cached at the edge.

In transit, at rest, and in backups.

Standard practice, applied without exception:

• In transitTLS 1.2+ (TLS 1.3 preferred)HSTS enforced. No unencrypted endpoints in production.
• At restAES-256Application database, object storage, and backups are encrypted by default.
• Key managementManaged KMS (EU region)Per-tenant keys for invoice and document blobs; rotated automatically.
• Database backupsEncrypted · EU-region onlyPoint-in-time recovery within the primary region. Backups never cross EU borders.

Strong by default, auditable by design.

Customer accounts use email and password with two-factor authentication available on every account from day one. Single sign-on (BankID, Microsoft, Google) is on the roadmap for Production-tier customers.

Employee access to production systems is limited to a small number of named engineers, gated behind 2FA and a per-action audit log. Customer data is only accessed in response to a documented support ticket or an incident, and every access is recorded.

• Passwords are stored as Argon2id hashes — never in plain text, never reversible.
• Session tokens are short-lived and scoped per-device. Revoking a device kills its sessions instantly.
• API keys are issued per-integration with least-privilege scopes and can be rotated by the customer at any time.
• All admin actions emit an audit event, retained for the customer’s account lifetime plus 7 years.

Held as long as the law requires — not a day longer.

Swedish bookkeeping law (Bokföringslagen 7 kap. 2 §) requires accounting records to be retained for seven years from the end of the calendar year they relate to. We honour that. After year 7+1, records are automatically purged.

• Accounting records7 years (BFL 7 kap. 2 §)Verifications, ledgers, year-end archives. Auto-purged at year 7+1.
• Personal dataUntil you ask us to delete itGDPR Art. 17 right to erasure, subject to BFL retention obligations on accounting records.
• Account closureFull SIE4 export on requestYou leave with everything: SIE4 of your books, PDF/A-3 of every invoice, CSV/JSON of every transaction.

We are the processor; you are the controller. A Data Processing Agreement is available on request — written against GDPR Art. 28 and the EU Standard Contractual Clauses.

Designed to recover quickly, honestly stated.

Production data is backed up continuously to encrypted, EU-region storage with point-in-time recovery within the primary region. Backups are tested on a documented schedule.

• Recovery objectiveRPO ≤ 15 minutes · RTO ≤ 4 hoursWhat we aim for at our current stage. We’ll publish actuals once we have a year of operating data.
• Backup retention35 days point-in-timePlus monthly snapshots retained for the BFL 7-year window.
• Backup regionEU-onlySame residency rules as the primary database. Backups never leave the EU.

No certifications yet. Here’s why — and what we do instead.

rVODE is pre-launch. We do not hold SOC 2, ISO 27001, or any equivalent third-party security certification, and we’re not going to claim we do.

What we do instead:

• Follow EU GDPR and Swedish bookkeeping law as our compliance baseline — documented, auditable, and the only certification our customers actually need to operate legally.
• Operate our own infrastructure on EU-resident managed services that are SOC 2 / ISO 27001 certified by their providers. Our customers inherit those operational controls.
• Run automated dependency scanning, secret scanning, and SAST in CI on every commit.
• Plan a third-party penetration test before general availability and on an annual cadence after.

We’ll evaluate ISO 27001 and SOC 2 once we have customer demand for them. When we begin those processes, we’ll publish the timeline here.

A short list, all EU-resident.

We use a deliberately small set of sub-processors, each contractually bound to GDPR Art. 28 terms. We notify customers in advance of any addition or change.

• HostingManaged cloud (EU regions)Database, object storage, compute. EU-only regions, never replicated outside the EU.
• Transactional emailEU-resident providerAccount emails, invoice delivery notices, password resets.
• Error monitoringEU-region-pinnedStack traces and performance traces. Customer data is scrubbed before transmission.
• Payments & invoicingBankgirot · Peppol BIS 3.0 access pointOutgoing invoice delivery and incoming AP receipt over the Peppol network.

Full sub-processor list with legal entity names, processing purposes, and locations is published at /legal/subprocessors.