Security Policy

This document describes the security practices in place at Firstversionist B.V. (trading as Polypane). Given that Polypane is a single-person company, many controls that would otherwise be procedural are structural by design — there is only one person with access to sensitive systems.

For vulnerability reporting, see our responsible disclosure policy.

Access Control

• Access to servers and infrastructure is held exclusively by the founder (Kilian Valkhof). No other employees or contractors have standing access to production systems.
• Access to customer account data is similarly limited to the founder.
• Payment data is handled entirely by Paddle and is not accessible to Polypane.
• Database infrastructure (Supabase) and backups are managed by those providers under their own access controls.
• Access credentials are not shared.

Password Management

• Strong, unique passwords are used for all services.
• Passwords are managed using a password manager.
• Two-factor authentication (2FA) is enabled on all accounts that support it, including email, payment processor, and hosting providers.

Patch and Update Management

• Server infrastructure is managed with automated tooling to ensure operating systems and packages are kept up to date on a formalized update schedule.
• Polypane's browser engine (Chromium) is updated regularly, following Chromium's own release and security patch cycle.

Incident Response

Security incidents are handled on a case-by-case basis by the founder. In the event of a confirmed breach affecting customer data:

• Affected customers will be notified via email as quickly as possible.
• We will assess the scope and take remediation steps appropriate to the incident.
• GDPR notification obligations will be met where applicable.

Vulnerability Reporting

We have a responsible disclosure policy. If you discover a vulnerability in Polypane or our infrastructure, please report it via https://polypane.app/.well-known/security.txt.

Data Handling

• Customer PII is limited to name, email address, and account status.
• Customer data is deleted upon request.
• Backups are retained for up to 30 days, after which they are permanently deleted.
• Email addresses are retained for up to six months after account deletion to prevent abuse.
• All data is transmitted over HTTPS with TLS 1.3.

Physical Security

Polypane is operated from a home office with controlled physical access. Physical security controls include:

• Work devices use full-disk encryption and are password-protected with automatic screen lock.
• Physical access to the premises is secured.
• Offline backups are maintained in multiple separate physical locations.

Sub-processors

All third-party providers that process customer data have Data Processing Agreements (DPAs) in place. See our Privacy Policy for the full list.

This policy is reviewed and updated as needed. Last updated: March 2026.