Security
Self-hosted, EU infrastructure, no vendor lock-in — the specifics, so your review doesn't need a call to get through it.
Last updated 10 July 2026
Overview
MakerToo runs its own infrastructure end to end rather than routing customer data through a stack of third-party SaaS vendors. That means fewer parties touch your data, and it means we can be specific about how each layer works instead of pointing at someone else's compliance page. This page documents the setup plainly. If something you need for a procurement review isn't here, email us — see Contact.
Infrastructure & data residency
All primary infrastructure is hosted in the EU. No IP addresses are published here — ask if your reviewer needs them under NDA.
| Component | Provider | Country |
|---|---|---|
| Application & primary database | Contabo | Germany |
| Mail infrastructure | Contabo / Hostinger | Germany / France |
| DNS & edge network | Cloudflare | Global edge, EU points of presence |
Enterprise and dedicated deployments run on an isolated instance and database per client — not a shared multi-tenant box — for organizations whose procurement policy requires it. Ask about dedicated hosting.
Tenant isolation
Every organization's data is scoped by tenant at the application layer, enforced centrally rather than trusted per route. That's backstopped by two independent checks we run against the live system, not just at design time:
- Database-level tenant isolation policiesas a backstop beneath the application layer — even a bug in application-level filtering can't leak another tenant's rows.
- An automated capability auditthat walks every API route in the codebase and confirms it's gated to the caller's own organization before it ships.
- A live isolation probethat authenticates as one tenant and attempts to read another tenant's real data over HTTP — any leak fails the check outright.
Backups & disaster recovery
Backups run nightly and ship off-box to a separate server, so a single machine failure can't take out both the database and its backups. Retention is spread across three tiers: 12 daily, 8 weekly, and 6 monthly snapshots.
We don't just trust that backups work — we test them. On a quarterly cadence, we restore a real production backup into a disposable scratch environment and time it. Our most recent drill restored a full production database (99 tables) in 23.2 seconds, with a clean, complete result. Live application and backup status: hub.makertoo.com/status.
Authentication & access control
Sessions use signed, httpOnly cookies; passwords are hashed and never stored in plain text. Two-factor authentication (authenticator-app TOTP) and passkeys (WebAuthn) are available on every account, and an organization owner can require two-factor for their whole team.
Role-based access control (owner / admin / member / viewer) governs who can read, write, or change settings — read-only "viewer" access is enforced centrally, not left to individual screens to get right. Authentication and other public-facing endpoints sit behind durable, persistent rate limiting that survives restarts and deploys, not an in-memory counter that resets on every release.
Monitoring & incident response
Errors and exceptions are captured by an error-tracking instance we host ourselves — we don't forward stack traces or request data to a third-party error-monitoring SaaS. Alerts route to our own on-call channel in real time.
AI & data processing
AI features (drafting, research, meeting transcription) are opt-in per organization. You can supply your own API key for any supported provider, or point the platform at a fully local model you host yourself — cloud AI is never a hard requirement to use the product. When cloud AI is enabled without a customer-supplied key, requests are processed by the provider your organization chose — see Subprocessors.
We do not use paid third-party data-enrichment vendors — no people-data resellers, no contact-unlock services. Email-pattern discovery is first-party and pattern-based, not purchased.
Procurement checklist
The common questions, answered directly, with a link to the evidence.
| Question | Answer | Evidence |
|---|---|---|
| Where is our data hosted? | EU only — Germany and France | Infrastructure |
| Is data isolated per tenant? | Yes — app-layer scoping, a DB-level backstop, and a live automated probe | Tenant isolation |
| Are backups actually tested? | Yes — quarterly restore drills, timed, into a disposable environment | Backups & disaster recovery |
| Is 2FA available and enforceable? | Yes — TOTP and passkeys, org owners can require it org-wide | Authentication |
| Do you use paid data-enrichment vendors? | No | AI & data processing |
| Who processes our data? | Listed by name, with purpose and location | Subprocessors |
| Is there a Data Processing Agreement? | Yes | DPA |
| Is there a live system status page? | Yes — public, no login required | hub.makertoo.com/status |
Subprocessors
Who we share data with, and why — depending on which modules your organization actually enables. Several rows below never see your data unless you turn the related feature on.
| Subprocessor | Purpose | Location | When |
|---|---|---|---|
| Contabo GmbH | Infrastructure hosting | Germany | Always |
| Hostinger | Infrastructure hosting (mail) | France / Lithuania | Always |
| Cloudflare | DNS & edge network | Global, EU points of presence | Always |
| Google Workspace | Company email | EU/US | Always |
| Wise | Payment processing | UK/EU | Only if invoicing/payments are used |
| Telegram | Internal operational alerting (our own ops team, not client-facing) | — | Internal use only |
| DeepSeek | LLM inference (drafting, research) | Outside the EU | Only if cloud AI is enabled and no customer key/local model is supplied |
| Groq | Meeting transcription | United States | Only if meeting transcription is enabled |
| Apify | Optional lead-sourcing | Czech Republic (EU) | Only if the sourcing module is enabled and used |
Invoice Ninja (invoicing) runs on infrastructure we operate ourselves — it is not a third-party processor. We'll notify customers of material changes to this list.
Contact
Questions about this page, or need something in writing for your security review? Email [email protected] — we typically respond the same business day.