Security

Security practices at
SIA

How we protect your data, your operations and your trust. EU hosting, ISO 27001 certified, encrypted everywhere, independently audited.

Infrastructure

SIA runs on EU-based cloud infrastructure with physical access controls, 24/7 monitoring and redundant power and networking. All customer data (operational data, documents, photos) is stored in the European Union.

  • Primary region: Netherlands
  • Redundant backups in a separate EU region
  • Daily encrypted backups with 30-day retention
  • Tested disaster-recovery procedures

Encryption

  • In transit: TLS 1.3 for all connections. HSTS enforced. Perfect forward secrecy.
  • At rest: AES-256 for databases, object storage and backups.
  • Secrets management: Credentials and keys stored in a managed secrets vault with automatic rotation.

Access control

  • Role-based access control (RBAC) within SIA: separate roles for HSE managers, crew, auditors and admins
  • Single Sign-On (SSO via SAML / OIDC) available for enterprise customers
  • Multi-factor authentication (MFA) supported for all accounts, required for admin roles
  • Principle of least privilege applied to internal engineering access. Production access requires approval, is logged and reviewed.

Application security

  • Secure development lifecycle aligned with OWASP ASVS
  • Dependencies scanned continuously for vulnerabilities
  • Static and dynamic application security testing in CI
  • Security code reviews for all critical changes
  • Responsible disclosure programme (see below)

Monitoring & incident response

  • Centralised logging and SIEM with anomaly detection
  • 24/7 alerting for security and availability incidents
  • Documented incident-response plan with defined roles and escalation
  • Customer notification within 72 hours of confirming a data breach that affects their data (meeting GDPR requirements)

Audits & compliance

  • ISO 9001 certified for quality management
  • ISO 27001 certified for information security management
  • Annual independent penetration tests on the SIA platform
  • Annual internal ISMS audits and management reviews
  • GDPR-aligned processes: DPIAs for new features handling personal data, Data Processing Agreements with all sub-processors

Certificates and audit summaries are available to prospective and current customers under NDA. Contact security@odinqhse.com.

Business continuity

  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour
  • Annual DR drills with documented outcomes
  • Public status page (coming soon) for real-time availability

Data handling

  • Customer content is never used to train third-party AI models without explicit consent
  • Data is isolated per tenant with strict access boundaries
  • Export is available at any time in standard formats (CSV, PDF, JSON)
  • Deletion on request: purged from production within 30 days, from backups within the backup retention period

Responsible disclosure

Found a security issue? Please report it privately to security@odinqhse.com. We acknowledge within 48 hours, confirm the issue or dispute within 7 days, and publish credits (if you wish) after the fix is live. We do not take legal action against good-faith researchers who follow this policy.

Please do not test against customer production data, perform DoS, or publicly disclose before we have had time to fix.

Contact

Security questions, DPAs, audit requests: security@odinqhse.com