Security Overview

Last Updated: 2026-04-12

At dbl9 GmbH ("dbl9"), security is fundamental to our operations. This Security Overview describes the technical and organizational measures we implement to protect the dbl9 Platform platform, services, and customer data.

This document is for informational purposes and does not create any contractual obligations beyond those set forth in the dbl9 Terms of Service, Data Processing Addendum, and Service Level Agreement.

1. SECURITY ARCHITECTURE

1.1. Infrastructure

• Hosting: The Service is hosted on AWS infrastructure in EU (Frankfurt).
• Data Residency: Customer Data is stored in the EU region (Frankfurt) by default. Other regions may be available upon request.
• Network Security: Our infrastructure employs firewalls, intrusion detection/prevention systems, DDoS mitigation, and network segmentation to protect against unauthorized access and attacks.
• Redundancy: Multi-availability zone deployment with automatic failover.

1.2. Encryption

• Data in Transit: All data transmitted between Customer and the Service is encrypted using TLS 1.2 or higher.
• Data at Rest: All Customer Data stored within the Service is encrypted using AES-256 encryption or equivalent.
• Key Management: Encryption keys are managed using AWS Key Management Service with regular key rotation.

1.3. Access Controls

• Authentication: The Service supports email/password with MFA, SSO via SAML 2.0 and OIDC (e.g., multi-factor authentication, SSO via SAML 2.0/OIDC).
• Authorization: Role-based access control (RBAC) is implemented to ensure users have access only to the resources required for their role.
• Administrative Access: dbl9 employee access to production systems is restricted on a need-to-know basis, requires multi-factor authentication, and is logged and audited.

2. APPLICATION SECURITY

2.1. Secure Development

• dbl9 follows a Secure Software Development Lifecycle (SSDLC) that includes security requirements analysis, threat modeling, secure coding practices, code reviews, and security testing.
• Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are performed regularly.

2.2. Vulnerability Management

• Regular vulnerability scans and penetration tests are conducted by qualified internal teams and/or third-party security firms.
• Identified vulnerabilities are triaged, prioritized, and remediated in accordance with severity-based timelines.
• dbl9 maintains a responsible disclosure program. Security researchers may report vulnerabilities to security@dbl99.de.

2.3. Dependency Management

• Third-party libraries and dependencies are monitored for known vulnerabilities and updated regularly.

3. OPERATIONAL SECURITY

3.1. Monitoring and Logging

• Comprehensive logging of security-relevant events, including authentication attempts, access to sensitive data, administrative actions, and system changes.
• Logs are retained for 12 months and protected against tampering.
• Security monitoring and alerting systems operate 24/7 to detect and respond to potential threats.

3.2. Incident Response

• dbl9 maintains a documented incident response plan that defines roles, responsibilities, procedures, and escalation paths.
• Security incidents are classified, investigated, contained, and remediated in accordance with the plan.
• Customers are notified of Personal Data Breaches in accordance with the Data Processing Addendum and applicable law.

3.3. Business Continuity and Disaster Recovery

• dbl9 maintains business continuity and disaster recovery plans that are tested at least annually.
• Recovery Point Objective (RPO): 1 hour
• Recovery Time Objective (RTO): 4 hours
• Regular backups are performed and stored in geographically separate locations.

4. PERSONNEL SECURITY

• Background checks are conducted on all dbl9 employees and contractors with access to production systems or Customer Data, in accordance with applicable law.
• All employees receive security awareness training upon hire and at least annually thereafter.
• Access to systems and data is revoked promptly upon termination of employment or change of role.

5. COMPLIANCE AND CERTIFICATIONS

dbl9 maintains the following certifications and compliance attestations:

• GDPR compliance (e.g., SOC 2 Type II)
• ISO 27001 (planned) (e.g., ISO 27001)
• SOC 2 Type II (planned) (e.g., GDPR compliance attestation)

Copies of relevant certifications and audit reports are available to customers under NDA upon request at security@dbl99.de.

6. AI-SPECIFIC SECURITY

6.1. Model Security

• AI models are hosted within dbl9's secure infrastructure and are subject to the same access controls and security measures as other Service components.
• AI models serve multiple customers but maintain strict data isolation; no customer data is retained in model memory between sessions.

6.2. Data Isolation

• Customer Data submitted to AI Features is logically isolated and not used to train general-purpose models without explicit consent.
• Customer Data is logically isolated in processing pipelines and is not shared across customers.

6.3. Output Safety

• AI Features include safety measures designed to prevent the generation of harmful, illegal, or inappropriate content.
• Multi-layer safety system including input validation, output filtering, and abuse detection.

7. REPORTING SECURITY ISSUES

To report a security vulnerability or concern, please contact:

Email: security@dbl99.de

dbl9 is committed to working with security researchers and will not take legal action against individuals who discover and report security vulnerabilities in good faith.

Security researchers may report vulnerabilities to security@dbl99.de. We are committed to working with researchers in good faith.

dbl9 Security Overview v1.0