What we do with your data, your code, and your secrets.

Identity and registration

Stacklane is a Dutch limited company (BV) registered with the Kamer van Koophandel. Every contract, invoice, and DPA is issued under this entity. We have no offshore parent and no shell intermediaries.

Jurisdiction

Netherlands (EU member state, AVG / GDPR applicable)

Tax

EU reverse-charge for B2B clients outside NL. BTW invoiced in NL.

Audit trail

All invoicing through a single Dutch accounting partner.

Data handling

We work on your repo, your data, your accounts. Production data stays in your environment by default. When we need realistic data to debug, we use anonymised dumps or scrubbed snapshots provided by you, never raw exports. We do not ship data outside your stack.

Data residency

Your data stays in your cloud accounts. We hold no production copies.

Anonymisation

PII scrubbed at source before any engineer access.

Retention

30 days for any debug snapshots in our ticketing system, then wiped.

Right to be forgotten

Per-subject deletion within 30 days of your request.

Encryption and secrets

Secrets travel through a single, audited path: your secret manager. We use vault-backed integrations (1Password, Bitwarden, Doppler, AWS Secrets Manager) and never store credentials in plaintext, in repos, or in chat. Code in transit is encrypted end-to-end via your SCM.

In transit

TLS 1.3 on every external integration.

At rest

Disk encryption on all engineer machines (FileVault / LUKS / BitLocker).

Secrets

Stored only in your vault. Engineer access is just-in-time, scoped, time-boxed.

Key rotation

All shared keys rotated on engagement end and on engineer offboarding.

Authentication and access

Engineer access to your systems is identity-scoped, MFA-required, and revoked on engagement end. We prefer SSO + SCIM provisioning into your identity provider so your team controls the lifecycle. Hardware keys are standard on every Stacklane engineer device.

Identity

Per-engineer accounts in your SSO. Shared accounts are refused.

MFA

Hardware security keys (YubiKey or similar) for every engineer.

Provisioning

Just-in-time SCIM when supported, manual with logged approvals otherwise.

Offboarding

Access revoked within 4 working hours of engineer rotation or engagement end.

Sub-processors

The third-party services Stacklane uses to run the business. We list every sub-processor with the data category, region, and a link to the relevant DPA. No exceptions, no hidden processors.

Incident response

If we detect or are notified of a security event involving your data or systems, you hear from us within 24 hours with what we know, what we've contained, and what we're investigating. You hear from us again within 72 hours with a written post-incident report.

Notification SLA

Initial notice within 24h. Written report within 72h.

Escalation path

hello@stacklane.co routes to the founder + on-call senior engineer.

Customer comms

We support your AVG / GDPR notification to authorities and data subjects.

Post-incident

Written root cause, changes shipped, and dates, shared with you.

Compliance posture

We tell you what we're certified on, what we're not, and what's in progress. No hand-waving. AVG / GDPR is in scope on every engagement; SOC 2 Type II is in progress, with target Q4 2026; ISO 27001 is not currently certified. NEN 7510 vocabulary is fluent on healthcare engagements.

AVG / GDPR

Full. DPA signed before any data access. EU jurisdiction by default.

SOC 2 Type II

In progress, audit window opens Q3 2026, report targeted Q4 2026.

ISO 27001

Not currently certified. We map controls 1:1 on request for procurement reviews.

NEN 7510

Vocabulary fluent for healthcare engagements. Not formally certified.

HIPAA

BAA available for US healthcare engagements on request.