Security

How we protect your data and keep Ewig secure.

Your wedding details, guest information and personal data deserve strong protection. This page outlines the measures we take to keep Ewig and your information safe.

1. Authentication

Ewig uses passwordless authentication via email-based one-time passcodes (OTP). This means there are no passwords to steal, leak or phish. Each login generates a unique code sent to your verified email address that expires after a short time.

2. Data encryption

• In transit: All connections use TLS (HTTPS), encrypting data as it travels between your device and our servers.
• At rest: Data stored in our database is encrypted at rest using AES-256 encryption provided by our infrastructure provider.
• Backups: Database backups are encrypted and stored securely with restricted access.

3. Payment security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Your credit card numbers, bank details and TWINT credentials never touch our servers. Stripe handles all sensitive financial data in their secure, certified environment.

4. Access control

Access to systems and data follows the principle of least privilege. Only authorised personnel with a specific need can access production data. Role-based access control (RBAC) is enforced at the database level through PostgreSQL Row Level Security (RLS), ensuring couples only see their own data, vendors see only their assignments, and planners access only their assigned events.

5. Infrastructure and hosting

• Application hosting: Vercel, with automatic HTTPS, DDoS protection, and global edge distribution.
• Database: Supabase (PostgreSQL), hosted in EU data centres with automated backups and point-in-time recovery.
• Rate limiting: Upstash Redis protects against brute-force and abuse.

6. Monitoring and incident response

We monitor our systems for anomalies and suspicious activity. In the event of a security incident that affects your data, we will:

• Investigate and contain the issue promptly
• Notify affected users without undue delay
• Report to the Swiss FDPIC and other authorities where required by law
• Take corrective measures to prevent recurrence

7. Your role in security

You can help keep your account secure by:

• Keeping your email account secure (this is your key to Ewig)
• Not sharing OTP codes with anyone
• Logging out on shared or public devices
• Reporting any suspicious activity to us immediately

8. Responsible disclosure

If you discover a security vulnerability in Ewig, we encourage you to report it responsibly. Please contact us at legal@ewig.app with details of the issue. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

9. Contact

For security-related questions or to report a concern, contact us at legal@ewig.app.