Introduction Privacy and Data Handling Legal and GDPR Position Certifications and Compliance Infrastructure and Hosting Security Architecture Access Control Development and Change Management Monitoring and Incident Management Backup and Recovery Vulnerability and Patch Management Endpoint Security Third-Party Risk Service Levels and Availability Business Continuity Applicability of Standard Security Requirements Contact

Trust Center

Introduction

URIports B.V. provides a unified platform for monitoring the security, health, and configuration of domains. Covering email security, website security, and domain and infrastructure monitoring, it collects and analyzes reports from mail servers, browsers, and other internet-facing systems to help organizations identify configuration issues, policy violations, certificate problems, authentication failures, and other security-relevant events. For a complete overview of our platform and features, please visit our website.

URIports is operated by a team of security professionals and software engineers based in the Netherlands and subject to European Union data protection laws. Security, privacy, and operational resilience are core principles that guide both the design of our platform and our day-to-day operations.

Privacy and data minimization are built into URIports from the ground up. We collect as little personal data as possible, use it only to deliver the service, and never sell or repurpose it. Your data always remains yours, and we actively remove or anonymize anything that may contain personal data.

This Trust Center is designed to support vendor risk assessments, security reviews, compliance evaluations, and due diligence processes. It provides transparency into our security controls, data handling practices, operational procedures, and compliance commitments.

Privacy and Data Handling

Handling of Potential Personal Data

While the platform is not designed to process personal data, certain report types (such as DMARC failure reports) may incidentally contain sensitive information.

URIports applies strict data minimization:

Message bodies are removed
Personal data is stripped from headers where possible
URL query parameters are removed from reports
Message bodies and headers are only retained if the customer provides a PGP public key for encryption; otherwise this data is stripped

This ensures that only the customer can access sensitive report content when required.

Data Retention

Customer data is retained only for the duration of the active subscription and in accordance with the configured retention period.

Data is retained for up to 90 days, depending on the retention settings of the subscription
Data is automatically deleted after the applicable retention period
Upon termination of the subscription, customer data is removed from the platform within a reasonable timeframe
No long-term storage or reuse of customer data takes place beyond service delivery requirements

This approach ensures strong data minimization and controlled data exposure.

URIports provides the following documents:

Terms of Service: https://www.uriports.com/terms
Privacy Policy: https://www.uriports.com/privacy
Data Processing Agreement (DPA): https://www.uriports.com/dpa

URIports acts as data processor (or sub-processor where applicable) under GDPR. The customer acts as data controller. We process data solely to deliver the service and provide reasonable assistance for your GDPR compliance obligations.

Certifications and Compliance

URIports does not currently hold formal third-party certifications such as ISO 27001 or SOC 2, and there are no concrete plans to pursue these in the near term.

Instead, our security posture is built around:

A privately operated, GDPR-compliant infrastructure based in the Netherlands
A deliberately minimal scope, by design we do not process business or end-user personal data beyond what is technically necessary
Internal security practices (access control, encryption, monitoring, and change management) that align with the spirit of common frameworks, even without formal certification

Infrastructure and Hosting

URIports runs on privately owned servers in a GDPR-compliant datacenter in the Netherlands. We do not rely on public cloud providers for any core services, giving us full infrastructure control and a predictable security posture.

Security Architecture

Environment Segregation

Production, staging, and development environments are fully separated
Databases are segregated per environment

Network Security

Hardware firewalls
Intrusion detection systems
DDoS protection

Encryption

All traffic secured via TLS (HTTPS)
Backups are encrypted
Sensitive report data is removed or encrypted

Access Control

Role-based access control (RBAC) is applied across all systems
Principle of least privilege enforced
Multi-Factor Authentication (MFA) required for all privileged access
Strong password policies enforced for all accounts
Rate limiting applied to authentication endpoints
Only company-managed, encrypted devices are permitted

Development and Change Management

All changes require peer review before deployment
Releases follow a controlled change management process
Secure coding practices are applied throughout development
Automated vulnerability scanning is performed on all dependencies

Monitoring and Incident Management

Systems and logs are actively monitored, covering user activity, administrative actions, and system events, with alerts generated for anomalies. We have clearly defined internal incident response procedures focused on rapid detection, mitigation, and communication where relevant.

Backup and Recovery

Backups are performed daily, are encrypted, and restore procedures are regularly tested to ensure data integrity and reliable recovery.

Vulnerability and Patch Management

Security patches applied quickly and regularly
Priority given to critical vulnerabilities
Continuous monitoring of dependencies
Ongoing improvement of security posture
Security testing relies on continuous automated vulnerability and dependency scanning

Endpoint Security

All staff use company-managed devices with full disk encryption and endpoint protection. No personal or unmanaged devices are used to access production systems.

Third-Party Risk

Our only external service provider is Paddle (payment processing). Core infrastructure is entirely self-managed, which significantly reduces supply chain exposure.

Service Levels and Availability

URIports does not currently offer a formal Service Level Agreement with guaranteed uptime percentages
We make commercially reasonable efforts to keep our Services operational 24 hours a day, seven days a week
This is consistent with the Service Level section of our Terms of Service

Business Continuity

Our infrastructure is built for operational resilience, with active monitoring, tested recovery procedures, and encrypted daily backups. Our backup cadence supports a recovery point of up to 24 hours, and recovery procedures are tested regularly to ensure reliable restoration.

Applicability of Standard Security Requirements

URIports processes technical reporting data, not business or end-user personal data. As a result, some controls in standard security questionnaires designed for PII-heavy environments may not directly apply. We are happy to clarify our position on any specific requirement on request.

Contact

We hope this overview gives you a clear picture of how URIports approaches security, privacy, and compliance. If you have additional questions, need more detail on any of the topics above, or require information for your own vendor risk assessment, please reach out to our helpdesk.