Security Policy for the Safety Software SaaS (Public Version)

Security Policy for the Safety Software SaaS (Public Version)

ID: SE-2026-V1 Updated: 17.12.2025
Print / PDF

1. Purpose and Scope

This Security Policy sets out the rules for protecting information and data processed within the Safety Software application delivered in a Software as a Service (SaaS) model.
It applies to users of the application available at https://safetysoftware.eu and complements the Terms of Service and the Privacy Policy.

This Policy describes standards applied by Safety Software Sp. z o.o., Półłanki 80, 30-740 Kraków, Poland, KRS: 0001196649, NIP: 6793342803, REGON: 542821668 (the “Administrator” / “we”).


2. Shared Responsibility Model

The system follows a shared responsibility model:

  • Administrator (Safety Software): responsible for application-layer security (authentication, authorisation, session handling), data protection in the application, and incident response.

  • Infrastructure provider (ISO/IEC 27001 certified data centre): responsible for physical security of servers, power, network, platform backups, and infrastructure protection.

  • Customer: responsible for the security of devices, passwords and identities of its users, and internal access management.



3. Application Security Principles

  1. Transport encryption: all data in transit is protected using TLS (HTTPS).

  2. Sessions: secured with Secure, HttpOnly, SameSite=Lax and the __Host- cookie prefix in production; session ID is rotated after login.

  3. CSRF protection: each form contains a unique CSRF token that is validated server‑side.

  4. Brute‑force protection: login endpoints are protected with rate‑limiting and progressive delays.

  5. HTTP security headers:

    • Content‑Security‑Policy (CSP with nonces),

    • X‑Frame‑Options: DENY,

    • X‑Content‑Type‑Options: nosniff,

    • Referrer‑Policy: same‑origin,

    • Permissions‑Policy (limiting browser APIs).

  6. Data segregation: multi‑tenant isolation prevents access across customers.

  7. Data protection: all data in transit is encrypted; credentials (passwords) are stored using strong one‑way hashing (bcrypt).

  8. Authorisation: every operation runs in the authenticated user and organisation context; unauthorised access is blocked.

  9. CMS content protection: the WYSIWYG editor is admin‑only; HTML is server‑side sanitised and covered by CSP with nonces.



4. Backups and Business Continuity

  1. Platform‑level backups are performed by the hosting provider according to its ISO/IEC 27001‑aligned policies.

  2. The Administrator performs periodic restore tests.

  3. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined internally and reviewed at least annually.



5. Monitoring and Logging

  1. Critical events are logged: sign‑ins, failed access attempts, data exports, report generation, and permission changes.

  2. Logs are stored securely with access restricted to authorised administrators.

  3. Logs do not contain full personal data or raw form contents.



6. Vulnerability Management

  1. Application and dependency updates are released regularly with priority for security fixes.

  2. Each release undergoes regression testing and open‑source component review.

  3. Discovered vulnerabilities are risk‑classified and remediated without undue delay.



7. Vendors and Integrations

  1. Stripe Payments Europe Ltd and PayPro S.A. (Przelewy24) process payments – card data is not processed by Safety Software.

  2. Google Analytics / Search Console are used for statistical/SEO purposes; Analytics operates only in line with user consent settings.

  3. Fonts and frontend components (Bootstrap, icons, fonts) are served locally from the vendor directory – no third‑party CDNs are contacted.

  4. Accounting services are provided by a trusted processor under a GDPR Article 28 agreement.



8. Incident Reporting

Report security concerns or suspected incidents to:
office@safetysoftware.eu (subject: SECURITY).
Reports are triaged promptly under an internal incident response procedure.



9. Compliance and Jurisdiction

  • The application and security processes comply with GDPR requirements and align with ISO/IEC 27001 principles at the organisational level.

  • Polish law governs this Policy; disputes fall under the jurisdiction of Polish common courts.

  • In case of any discrepancies between language versions, the Polish version prevails.



10. Effective Date

This Security Policy is effective from 1 November 2025.
The current version is available at https://safetysoftware.eu/en/security-policy.


Administrator / System Owner:
Safety Software Sp. z o.o.
Półłanki 80, 30‑740 Kraków, Poland
E‑mail: office@safetysoftware.eu
Website: https://safetysoftware.eu