Security

Security at Edka

Edka manages Kubernetes clusters on infrastructure in your own cloud account. That architecture is itself a security decision: your clusters and data live in accounts you own and control, not in a shared multi-tenant platform we operate on your behalf. This page explains what we secure, what stays with you, and how to reach us about security.

We’re developers, and we’d rather under-promise here than list controls we don’t run. If something below is unclear or you need detail for a security review, email security@edka.io.

---

Shared responsibility

Security is split between Edka and you. The short version:

Edka is responsible for

• Securing the Edka management platform, its APIs, and web interface
• Protecting your account credentials and the infrastructure credentials you entrust to us
• Encrypting data in transit and at rest within our platform
• Maintaining the Edka control plane and shipping security updates to our own code

You are responsible for

• Securing your cloud provider account with a strong password and 2FA
• Securing your Kubernetes clusters after provisioning — RBAC, network policies, workload updates
• Backing up your data and applications
• Compliance with the regulations that apply to your use case

The full breakdown, including shared areas like security updates and incident response, lives in our Terms of Service.

---

How we handle your credentials

To manage clusters on your behalf, Edka needs credentials for your cloud account. We treat these as the most sensitive data we hold:

• Encrypted at rest with AES-256, stored in a dedicated secret storage system separate from application data
• Used only to perform the operations you request
• Never shared with third parties
• Revocable by you at any time
• Short-lived where possible — some operations use tokens supplied for the duration of a single operation, which we do not store

You remain responsible for these credentials at the provider level, and you can disconnect your clusters from Edka and manage them directly in your cloud account whenever you want.

---

Platform security measures

We implement industry-standard measures across the platform:

• Encryption: Data is encrypted in transit (TLS 1.3+) and at rest (AES-256)
• Access controls: Role-based access with multi-factor authentication
• Regular reviews: Ongoing security reviews of our platform and dependencies
• Incident response: Active monitoring and defined response procedures
• Data isolation: Customer data is logically segregated; Enterprise plans can opt for physical isolation

No system is fully immune. If a breach occurs, we notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying incident, and affected users without undue delay where the risk to their rights is high, as required by GDPR.

---

Data location

By default, your data stays in the EU:

• Primary storage: EU data centers in Germany (Falkenstein, Nuremberg, Frankfurt) and Finland (Helsinki)
• Backups: Frankfurt (Germany) and St. Ghislain (Belgium)

When a transfer outside the EU is necessary, we rely on Standard Contractual Clauses and data minimization. Full detail is in our Privacy Policy.

---

Sub-processors

We use a small set of vetted providers to run Edka:

• Hetzner — infrastructure provider
• Cloudflare — DNS, WAF, secure employee access
• Google Cloud Platform — infrastructure provider
• AWS — infrastructure provider
• Paddle — merchant of record and payment processor
• Resend — transactional email
• Sentry — error tracking
• GitHub — version control
• Google Workspace — identity, email, documents

A Data Processing Agreement (DPA) is available on request — email privacy@edka.io.

---

Reporting a vulnerability

If you believe you’ve found a security issue in Edka, we want to hear from you.

• Email: security@edka.io
• Encryption: PGP key available at https://edka.io/pgp-key.txt

Please give us a reasonable window to investigate and remediate before any public disclosure. We don’t pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and report directly to us.

---

Compliance and roadmap

We’re transparent about where we are:

• GDPR and Spain’s LOPDGDD — compliant
• ePrivacy Directive — followed for cookies and electronic communications
• ISO 27001:2022 — certification in progress; we operate comparable measures today but are not yet certified

We’ll update this page as our posture matures. Questions? Email security@edka.io.