Infrastructure & Hosting

• EU hosting: all data stored on servers in the Netherlands/EU
• TLS 1.3: all communication between your browser and our servers is encrypted
• Daily backups: automated backups with 30-day retention
• DDoS protection: via cloud infrastructure with built-in mitigation

Authentication & Access

• Passkeys (WebAuthn): passwordless login via biometrics or hardware token on all plans
• Hashed passwords: bcrypt hashing, never stored in plaintext
• Role-based access control: 7 permission levels (super admin to read-only)
• SSO (SAML/OIDC): available on Professional and Enterprise plans
• API tokens: per-user tokens with limited scope for REST API access

Application security

• CSRF protection on all forms and state-mutating endpoints
• SQL injection prevention via parameterised queries (Eloquent ORM)
• XSS protection via Blade template escaping and Content Security Policy headers
• Rate limiting on login and API endpoints
• Activity logging for all critical actions (Spatie Activity Log)

Responsible disclosure

Found a security vulnerability? Report it confidentially to info@ppmos.com. We will acknowledge your report within 48 hours and resolve the issue without legal action against responsibly disclosed vulnerabilities.