Your data, kept simple.
Voorcast reads inventory and sales data from your connected systems and stores it in the EU. This page describes who has access, who we share with, and how we handle the obligations that come with that.
EU-only hosting
Application, database, and backups all reside on EU servers in Germany. Customer data does not leave the EU as part of normal service operation.
GDPR by default
Voorcast is operated by Nordnether (Netherlands). Our Article 28 DPA is below; data subject rights are handled per the Privacy Policy.
Hosting and data residency
Voorcast runs on a managed European hosting provider with servers in Germany. Backups stay in the EU. Customer data does not leave the EU as part of normal service operation. If we ever change hosting region, we will notify customers in advance and update this page.
Connections
The landing site and the application sit behind Cloudflare with HTTPS-only enabled — any HTTP request is redirected to HTTPS before it reaches our origin.
Access to production data
Raw production data is not copied to development or staging environments. We use anonymized derivatives of production data to train and regression-test the forecasting engine; the anonymization is applied before any data leaves the production system.
Dependencies
We update third-party dependencies frequently and deploy security patches promptly — recent practice has been within 24 to 48 hours of release.
GDPR and the DPA
Voorcast acts as a processor for the operational data customers connect through integrations, and as a controller for account, billing, and prospect data. Our Data Processing Agreement (Article 28) is part of every paying customer's contract. Data subject rights are handled per the Privacy Policy.
Sub-processors
Voorcast uses the following sub-processors. We will notify customers in advance of material additions to this list.
| Sub-processor | Purpose | Location |
|---|---|---|
| Sentry | Error and performance monitoring | EU |
| AWS SES | Transactional email (sign-up, password reset, billing, alerts) | EU (eu-central-1) |
| EU hosting provider | Application and database hosting; automated snapshots | Germany |
| Mollie | Payment processing (no card data passes through Voorcast) | EU |
Personal data breaches
GDPR Article 33 applies to us. As a controller, if we become aware of a personal data breach we will notify the supervisory authority (Autoriteit Persoonsgegevens) within 72 hours where the breach is likely to result in a risk to data subjects, and we will notify affected individuals where the risk is high. As a processor, we will notify the customer (controller) without undue delay.
Contact about security
For security questions, vulnerability disclosure, or DPA inquiries, email [email protected].