Home/Security

● Page last reviewed Apr 14, 2026

Your books. Locked up properly.

No SOC 2 theater. No "bank-grade encryption" in 60-point type. This page explains, in plain words, what we actually do with your data, where it lives, and the things we haven't gotten around to yet.

What we do What we don't (yet)Report a vulnerability →

ledger.vault · adminLOCKED

Transit

TLS 1.3, HSTS preload

At rest

AES-256, per-tenant keys

Backups

Encrypted, 2 regions, daily

Last drill

Restore succeeded · Apr 9

Zerobreaches, ever

Since Nov 2018.

4 hrRTO target

Recovery time. Tested monthly.

99.94%uptime in 2025

Including the Frankfurt region outage.

< 24hvuln response

From triaged report to patch in testing.

What we actually do

Six things, done properly.

Instead of a wall of logos, here's what happens to your data from the moment it leaves your browser to the moment we restore it at 3am on a Tuesday.

In transit

Encrypted between your browser and ours.

Everything that leaves your machine runs over TLS 1.3. We're on the HSTS preload list, so even a bookmark you typed in 2019 upgrades to https before the connection opens. Certificates auto-rotate every 60 days through Let's Encrypt. Our cipher suites are the ones Mozilla calls 'modern,' and we cut off TLS 1.1 in 2023.

TLS 1.3 on all endpoints, TLS 1.2 as a floor

HSTS preload, 2-year max-age

Certificate Transparency monitored

HTTP/2 + HTTP/3 on the edge

At rest

Encrypted on disk. Per-tenant keys.

Your invoices, clients, attachments, and time entries are encrypted with AES-256 before they touch the database. Every workspace has its own key, derived from a master key that lives in AWS KMS. If a disk image leaked, an attacker would get ciphertext and a shrug.

AES-256-GCM, per-workspace keys

Master key in AWS KMS, never exported

Database backups encrypted with separate keys

File attachments stored in S3, SSE-KMS

Who can see your data

Bruno. On purpose, when you ask.

Three humans have production access: Bruno, Marta (ops), and Carl (on-call backup). Every access event is logged, signed, and emailed to the other two. If you open a support ticket and we need to look at your workspace, we ask first, in the ticket, in writing. You can say no. Most problems don't actually need us to look.

3 named humans, no contractors

Hardware-key 2FA required for every tool

Every prod access logged to an append-only audit store

Workspace access requires your explicit ticket consent

Backups & recovery

Daily, encrypted, in two regions.

Databases snapshot every 6 hours, file storage replicates continuously. Backups land in us-east-1 and eu-central-1, encrypted with keys not used for anything else. On the second Tuesday of every month we restore the production database into a blank environment from cold storage. If it doesn't boot, we don't leave until it does.

6-hour database snapshots, 90-day retention

Continuous S3 cross-region replication

Monthly restore drill, logged publicly

Point-in-time recovery to any second, last 7 days

Where it runs

Hetzner for compute. AWS for storage.

Gingerbread (hosted) runs on dedicated Hetzner servers in Falkenstein and Helsinki. We picked Hetzner because it's cheap, fast, and run by engineers instead of MBAs. Long-term storage, backups, and the secrets layer sit in AWS, because some things you want boringly conservative. Data residency is EU by default, or US if you pick that region at signup.

Hetzner (DE, FI) primary compute

AWS S3 + KMS for storage & secrets

No third-party analytics on authed pages

Region choice at signup, migratable later

The code itself

Small team, quiet dependencies.

Gingerbread is ~54k lines of PHP and ~18k lines of TypeScript. We depend on 31 direct npm packages and 22 composer packages. We read every changelog before we bump a version. Dependabot opens PRs, we merge them, CI runs a Semgrep pass, Playwright re-runs the critical-path tests, and we ship.

Pinned dependencies, reviewed weekly

Semgrep on every PR, blocking

Playwright covers the 40 most-hit flows

No external trackers, pixels, or session replay

Being honest

What we haven't done yet.

Every other security page pretends these don't exist. We'd rather you know up-front so you can make the call.

No SOC 2 report.

Coming late 2026

We'd spend $50k a year so three employees of a large bank could ignore it. When we hit 500 business customers we'll start the Type I. Email us if you need the letter in the meantime. We'll work with you.

No HIPAA BAA.

Not planned

Gingerbread isn't built for protected health information. If you're a therapist invoicing for sessions, you're fine. If you're storing diagnostic notes in client fields, please don't.

No SSO/SAML yet.

In staging

Regular 2FA works. SAML is built and sitting in staging. It'll ship when we find five customers who actually want it. If that's you, reply to any email.

No bug bounty yet.

Ad-hoc for now

We pay researchers case-by-case through the report form. A proper program is on the list once we figure out the triage bandwidth. In 2025 we paid out $8,400 across 11 reports.

Incident history

The whole log. No redactions.

Every incident, drill, and dependency patch worth talking about since we started publishing this log in March 2024.

Subscribe to the feed (coming soon)

DrillMonthly restore drill

Apr 9, 2026

Production database restored into a blank environment from cold storage. 2h 14m, clean boot.

PatchCVE-2026-0094 in libpng

Feb 18, 2026

Dependency bumped within 6 hours of advisory. No exposure in our uploader, patched preemptively.

IncidentFrankfurt region outage, 47 min

Jan 3, 2026

Hetzner network flap. Traffic failed over to Helsinki automatically. Total user-visible downtime: 47 minutes on EU workspaces.

DisclosureReflected XSS in invoice preview

Nov 21, 2025

Reported via the form, triaged in 40 min, patched within 18 hours. $1,200 paid to researcher. Postmortem published.

PatchDependency audit, clean quarter

Aug 6, 2025

Ran a full dependency review, dropped 4 transitive deps, no findings.

DrillKey rotation drill

Mar 14, 2025

Rotated the per-workspace master key. Zero customer impact, ~3 min of elevated tail latency.

Data handling

What we store, where, and for how long.

No dark patterns. If you want any row deleted, email us and we'll confirm in writing once it's gone.

What	Where it lives	Kept for	Who can see it
Business data (invoices, clients, tasks, time)	Encrypted in your workspace DB	Until you delete it, or 30 days after account closure	You. Your teammates. Us only with ticket consent.
File attachments	S3, SSE-KMS, per-workspace bucket prefix	Same as business data	Same. Never indexed, scanned, or used for ML.
Payment info	Never touches our servers. Stripe tokenizes it at the browser.	Stripe's policy. Not ours.	We see last four, brand, and expiry. That's it.
Support emails & tickets	Fastmail (EU), separate from the product DB	3 years, then archived	Bruno, Marta. Redacted after 90 days unless needed.
Login & session logs	Product DB, hashed IP, 90-day TTL	90 days	You can see yours in Settings → Security.
Web analytics	We run Plausible on the marketing site only.	Aggregated, 24 months	No cookies, no fingerprinting, no tracking on authed pages.

Export whenever you want. Settings → Data → Export. You get a zip with JSON, CSV, and every attachment. Portable by design.

Disclosure policy

Found something? Write to us.

Give us a reasonable window (usually 90 days) before going public. In return you'll get a human reply within a business day, credit in the changelog, and a payout if the finding was material.

security@gingerbreadapp.com

for anything sensitive

PGP key fingerprint

4A92 FB01 8C37 6D2E · F0EA 1C8B 9D5A 7744

Last payouts

$1,200 · $800 · $450 · $2,400 · $500

Scope

gingerbreadapp.com + *.gingerbreadapp.com, no DoS, no social

If your books matter, host them yourself.

The self-hosted version runs on your server, with your backups, behind your firewall. If a security team has to sign off, this is usually the easy answer.

Self-hosted, $199 Ask us anything