Security

Security & trust

An honest, concise description of what we run to protect your vehicle data - infrastructure, controls and standards. No marketing fluff.

HostingHetzner Cloud

RegionNuremberg, DE (EU)

BackupsDaily

Posture reviewedMay 2026

Controls

What runs in production today

No half-truths. The same answers we give to enterprise security questionnaires.

Encryption in transit

TLS via Let's Encrypt for all web traffic. The Codec 8E ingest socket on port 5027 runs in a private network segment, and tracker traffic over 1NCE SIMs is constrained to our endpoint.

Per-tenant database isolation

Each customer workspace lives in its own MariaDB 11.4 database. A workspace cannot read or write any other workspace's data at the database level, not just at the application level.

EU hosting on Hetzner

The application and GPS ingest listener run on a Hetzner Cloud CPX22 instance in Nuremberg, Germany. Hetzner data centres are ISO/IEC 27001 certified. Data does not leave the EU.

Daily backups

Full application and database backups run daily and are retained for 14 days. Backups are encrypted at rest. We test restore procedures regularly.

Hashed passwords + MFA on admin

User passwords are stored with bcrypt. Time-based two-factor authentication is available to all users and required for super-admin (/bss) accounts.

Role-based access control

Granular permissions inside each workspace. Vehicles can be shared read-only via tokenised links. Audit logging records every administrative action.

Segregated OS users

The application runs under a non-root user managed by CloudPanel. Database, web and queue workers run with the minimum privileges they need.

Secrets out of source control

Credentials and API keys live in environment variables on the server, never in git. Access to the production server is keyed and limited to named operators.

CSRF + rate limiting

CSRF tokens on every state-changing form. Login, register and contact endpoints are rate-limited to slow credential-stuffing and abuse attempts.

Audit logging

Administrative actions, logins and security-relevant events are written to a tamper-evident audit log retained for at least 12 months.

Compliance

What we cover

Mapped to the standards procurement teams ask about. We do not claim what we cannot hold.

Standard	Status	Notes
EU GDPR	Compliant	We act as a processor for customer data. DPA ready to sign.
Bulgarian Personal Data Protection Act	Compliant	Local obligations covered. Registered with CPDP.
ISO/IEC 27001 (hosting)	Inherited	Hetzner Cloud data centres are ISO 27001 certified.
SOC 2 Type I (SimpleGPS)	Planned	Target: within the next 12 months.
PCI-DSS	Not in scope	Card data is handled entirely by Stripe - we never see PAN.

Stack

Trusted stack

The vendors behind the service. Full list and roles in subprocessors.

Hetzner Cloud

Hosting · EU region · ISO 27001

Stripe

Payments · PCI-DSS via processor

1NCE

IoT connectivity for tracker SIMs

Teltonika

Tracker manufacturer (FMB003/920, FMC003)

Cloudflare

DNS · TLS · DDoS protection

Documents

For procurement folder

Contact

Security questions, vulnerability reports, procurement support.

Enquiries: support@simplegps.bg
Vulnerabilities: support@simplegps.bg
Response SLA: 48 hours, business days
Disclosure window: 90 days, coordinated

Contact the security team