Siirry sisältöön
Security

Security Policy

Responsible disclosure, vulnerability handling, and our commitment to the security of your data.

Last updated: March 2026

01 Vulnerability Disclosure Policy

InfoPeak values the security research community and welcomes responsible disclosure of vulnerabilities. If you discover a security issue in any InfoPeak service, we encourage you to report it to us.

Report a vulnerability

security@infopeak.io

For sensitive disclosures, please request our PGP public key.

02 Scope

The following services and assets are in scope for responsible disclosure:

  • infopeak.io — main application and website
  • auth.infopeak.io — authentication service
  • InfoPeak Pass — browser extension
  • InfoPeak VPN — mobile and desktop applications

03 Disclosure Guidelines

We ask security researchers to follow these guidelines:

  • Provide sufficient detail to reproduce the vulnerability.
  • Do not access, modify, or delete data belonging to other users.
  • Do not perform denial-of-service attacks or social engineering.
  • Allow reasonable time (90 days) for us to address the issue before public disclosure.

04 Response Timeline

72 hours

We acknowledge receipt of your report.

14 days

We provide an initial assessment and expected resolution timeline.

90 days

We aim to resolve all confirmed vulnerabilities within this window.

05 Safe Harbor

InfoPeak will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, in accordance with this policy. We consider security research conducted under this policy to be authorized and will not initiate legal claims for circumventing technological measures where the research is conducted in compliance with this policy.

06 Incident Response & Breach Notification

In the event of a security incident or data breach, InfoPeak follows these procedures in accordance with NIS2 Directive (EU) 2022/2555 and GDPR Articles 33 and 34:

  • Within 24 hours: Early warning to the relevant national CSIRT (Computer Security Incident Response Team).
  • Within 72 hours: Full incident notification to the supervisory authority (GDPR) and CSIRT (NIS2), including scope assessment and mitigation measures.
  • Without undue delay: Affected users will be notified via email with clear information about the nature of the breach, data affected, measures taken, and recommended actions.
  • Within 1 month: A final report is submitted to the relevant authorities with root cause analysis and preventive measures.

07 Security Architecture

InfoPeak employs the following security measures as part of our commitment to the Cyber Resilience Act (CRA):

  • Encryption at rest: AES-256-CBC for all stored user data.
  • Encryption in transit: TLS 1.3 for all connections.
  • Zero-knowledge architecture: Personal encryption keys are derived client-side. InfoPeak cannot access your encrypted content.
  • EU-only hosting: All infrastructure located within the European Union.
  • Regular security updates: Dependencies and infrastructure are continuously monitored and updated.