Home Blog
Get started

Security

Last updated:

A summary of the technical and organisational measures Teksta has implemented under GDPR Article 32.

Encryption in transit

TLS 1.2 or higher is enforced on all customer-facing endpoints, with HSTS enabled.

Access control

  • Every API request is authenticated and authorised server-side, with row-level access rules scoped per organisation so customers cannot see each other’s data.
  • Staff access to production resources is limited to authorised personnel with two-factor authentication.

Network and infrastructure

  • The web frontend is served from a global edge with WAF protection.
  • Anti-bot protection guards signup and password reset.
  • Application services run on Hetzner in Germany. They are not exposed on public ports; all inbound traffic terminates at a reverse proxy that handles TLS and routing.

Email authentication

  • SPF, DKIM, and DMARC are configured for teksta.no.
  • Outbound email — both transactional and personal — is signed with a DKIM signature aligned to teksta.no.
  • DMARC reports are collected and reviewed.

Logging and monitoring

Errors, traces, metrics, and application logs are collected on Teksta-controlled, self-hosted observability infrastructure. They are used only to operate the service and are not designed to capture personal data.

Backup and recovery

  • The database is backed up daily with a 14-day retention window.
  • Object-storage deletions take effect immediately at the object layer; there is no per-object version history.

Secure development

  • Source control is protected by required code review on the main branch.
  • Continuous integration runs lint, type-check, and tests on every change.
  • Dependencies are updated automatically.
  • Secrets are stored in a managed secrets store, not in source control.

Subprocessor management

The current list is published at /blog/INT/en/legal/subprocessors/. Each subprocessor is selected for GDPR compliance and EU data residency where feasible. New non-EEA subprocessors are added only after a documented Transfer Impact Assessment.

Data minimisation

  • Audio is retained only as long as needed to deliver the user’s content; see our Privacy Policy §7 for details.
  • Analytics run on an EU instance. Persistent identifiers are blocked until the user grants consent through the cookie banner.
  • Prompts to LLM providers include only the minimum necessary text; bulk audio is never sent.

Incident response

We follow a documented incident-response procedure. Personal-data breaches are notified to Datatilsynet within 72 hours where required, and to affected B2B customers within 48 hours of becoming aware.

Certifications and audits

Teksta does not currently hold independent SOC 2 or ISO 27001 certification. We rely on the certifications of our infrastructure providers and on the public description of our practices on this page. Independent certification is on our roadmap as the company grows.

Reporting a security concern

Vulnerability reports and security questions can be sent to privacy@teksta.no. We respond to security reports promptly and acknowledge responsible disclosure.