Asamano

Security

Learn how Asamano protects your data and maintains compliance with EU cybersecurity regulations.

Data Protection

All data is encrypted in transit using TLS 1.2+ and encrypted at rest. Your information is protected with organization-level security through Row-Level Security (RLS) policies, ensuring strict data isolation between organizations. Only authorized users within your organization can access your data.

Authentication & Access Control

Asamano supports multi-factor authentication (MFA) with TOTP-based authenticator apps. Role-based access control ensures users only have access to features appropriate for their role. All authentication tokens are verified server-side using JWT validation. Login attempts are rate-limited and monitored.

Compliance

Asamano is committed to compliance with EU regulations: • GDPR — We process personal data lawfully, transparently, and for specific purposes. Users can request data export or deletion at any time. • Cyber Resilience Act (CRA) — As required by Regulation EU 2024/2847, we maintain a vulnerability handling process, generate Software Bills of Materials (SBOM), and commit to reporting actively exploited vulnerabilities to ENISA within 24 hours. • CE marking compliance timeline — By December 11, 2027, in accordance with CRA deadlines.

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly: • Email: security@asamano.com • See our security.txt file for structured reporting information We commit to acknowledging reports within 24 hours and providing an initial triage within 72 hours. Critical vulnerabilities are addressed within 30 days. We follow a coordinated disclosure policy and recognize researchers who report valid findings.

Supply Chain Security

We take software supply chain security seriously: • SBOM — A Software Bill of Materials in CycloneDX format is generated for every release, documenting all dependencies. • Dependency scanning — Automated vulnerability scanning runs on every pull request using Aikido (SAST, SCA, secrets detection) and npm audit. • License compliance — Automated checks prevent introduction of high-risk copyleft licenses. • All dependencies are triaged individually for production reachability before remediation.

Infrastructure

Asamano is hosted on infrastructure within the EU/EEA: • Web application hosted on Vercel with edge delivery • Backend services powered by managed cloud infrastructure with automatic scaling • Automated CI/CD pipeline with security gates (linting, type checking, testing, vulnerability scanning) • All API endpoints are authenticated and rate-limited • QR codes themselves do not expose sensitive information — scanning requires authentication

security.txt

In accordance with RFC 9116, we publish a security.txt file to make it easy for security researchers to report vulnerabilities.

/.well-known/security.txt

© 2026 Asamano. All rights reserved.

We use cookies to measure traffic and improve our advertising. You can accept or decline tracking. Privacy Policy