Your stack runs on your cloud. Here is how we protect everything in between.

Run your own scans:

• SSL Labs (Qualys) - current TLS configuration grade
• Mozilla Observatory - HTTP security headers score
• Hardenize - full domain hardening report

• TLS 1.2 and TLS 1.3 only. Legacy TLS 1.0 / 1.1 and SSLv3 are disabled.
• Strong cipher suites only. No RC4, no CBC ciphers, no export-grade ciphers, no anonymous DH.
• HSTS preload header: max-age=31536000; includeSubDomains; preload. try.direct is in the Chrome HSTS preload list, so browsers refuse to load it over plain HTTP even before a redirect.
• Let's Encrypt certificates auto-renew before expiry. Certificate transparency logs publish every issuance.
• Common TLS vulnerabilities (Heartbleed, POODLE, BEAST, CRIME) confirmed mitigated on the most recent scan.

• Each deployment gets its own scoped Vault token. Deployments cannot read each other's secrets.
• Vault is not exposed to the public internet. Service access is mediated by the platform's internal network only.
• Cloud credentials never reach the deployed stack. The provisioning step uses your cloud API token, then discards it. Your application containers do not hold DigitalOcean, Hetzner, AWS, or Linode credentials.

• OAuth2 sign-in with Google or GitHub - no password to phish.
• Two-factor authentication - TOTP (Google Authenticator, 1Password, Authy) and email one-time-passcode supported.
• Role-based access control - users, teams, and admin roles are isolated.
• OAuth2 access tokens are short-lived and rotated automatically.

• Card payments are processed by Stripe on Stripe-hosted checkout. Card data never touches TryDirect servers.
• PayPal payments are processed by PayPal on PayPal checkout pages, with the same isolation.
• Because card data never enters our environment, TryDirect qualifies for the simplest PCI DSS self-assessment level (SAQ-A). The formal attestation is in progress.

• Each customer's stack deploys to their cloud account, not to shared TryDirect infrastructure. There is no multi-tenant noisy-neighbour risk because there is no shared runtime to share.
• Status Panel— the on-server TryDirect agent that monitors container health, ships logs to the dashboard, and executes governed deployment commands. All Status Panel requests are HMAC-signed with replay protection and limited to an explicit command allowlist.
• SSH credentials for deployed servers are stored per-deployment in Vault, not on the TryDirect operator team's laptops.

• Application errors are tracked in Sentry (frontend and backend). PII is filtered before transmission.
• Infrastructure uptime and host metrics are monitored by Zabbix.
• User-facing events (logins, password resets, deployments) are written to an immutable activity log per user.
• All third-party processors are listed publicly in the sub-processors section below.

Data controller: WEB DIRECT SRL, Calea Ieșilor 8, of.3, Chișinău, MD-2069, Moldova.

• GDPR-aligned. We act as a data processor for customer-provided data and as a data controller for account data. Full details: Privacy Policy.
• Data Processing Agreement - the DPA is published. A countersignable PDF version is available on request from privacy@try.direct.
• Data subject requests (export, deletion) are handled within 30 days of receipt.

Sub-processors

Services that process customer data on TryDirect's behalf:

• Stripe - card payment processing
• PayPal - alternative payment processing
• Mailjet - transactional email delivery
• AWS SES - secondary email delivery
• Sentry - application error tracking
• Google Analytics 4 - anonymised traffic analytics
• Hetzner Online GmbH - hosting the TryDirect platform (Germany)
• Cloud providers- Hetzner, DigitalOcean, Linode, Vultr, Contabo, AWS, Oracle Cloud - only on customer instruction, deploying to the customer's own account.

• Email security@try.direct
• Acknowledgement within 48 hours
• Triage and fix plan within 7 days for confirmed high-severity issues
• Public credit on request after the fix ships

A security.txt file documents this contact in the format defined by RFC 9116.

• 2026 - self-administered penetration test completed against the public surface (information gathering and configuration review phases). Findings are tracked and being remediated on a published cadence.
• Anti-CSRF, anti-clickjacking, and content-type sniffing protections are enabled platform-wide.
• Backup files, .env files, .git directories, and dotfiles are not served by the web tier (verified by independent scan).

• PCI DSS SAQ-A self-attestation published.
• CSA STAR Level 1 - public Cloud Security Alliance self-assessment listing.
• Third-party penetration test with published summary.
• ISO 27001 certification - EU-focused information security management standard.
• SOC 2 Type II - US-focused operational controls audit.
• Public bug bounty program - recognition first, monetary rewards later.