Security

Filto's platform is hosted on Hetzner Cloud infrastructure within the European Economic Area. Our Kubernetes clusters are provisioned and managed using infrastructure-as-code (Terraform), ensuring consistent, auditable configuration across environments.

All production environments are isolated from development and staging. Access to production infrastructure is restricted, logged, and reviewed regularly.

In transit. All data transmitted between your browser and Filto's servers is encrypted using TLS 1.2 or higher. This applies to the web application, API endpoints, and any webhook delivery.

At rest. Data stored in our databases is encrypted at rest. Backups are encrypted and stored separately from primary data.

Payment data. We do not store payment card details. All payment processing is handled by our PCI-compliant payment provider. Filto only receives tokenised references to payment methods.

Access to Filto's production systems follows the principle of least privilege. Engineers only have access to the systems and data required for their role.

• Multi-factor authentication is required for all internal system access
• SSH access to production servers is key-based only - password authentication is disabled
• Database access from application services uses dedicated, scoped credentials
• All privileged access is logged and auditable
• Credentials and secrets are managed via secrets management tooling - not stored in code or version control

Our verifier network consists of trained individuals who check contact and company data against current public sources. All verifiers go through an onboarding and vetting process before being admitted to the network.

Verifiers interact with data through a controlled interface. They do not have access to your full dataset - each verifier sees only the individual records assigned to them, without identifying client context. Client identity is never exposed to the verifier network.

All verifier activity is logged and auditable. Anomalous behaviour triggers automatic review. Verifiers who violate our policies are immediately removed from the network.

We conduct regular dependency audits across our application stack and infrastructure. Known vulnerabilities in dependencies are remediated promptly based on severity.

Our CI/CD pipeline includes automated security scanning as part of every deployment. Infrastructure changes are reviewed before being applied to production.

In the event of a security incident that affects your data, we will notify you without undue delay. Where the incident constitutes a personal data breach under applicable data protection law, we will also notify the relevant supervisory authority within 72 hours of becoming aware.

Our incident response process includes: immediate containment, root cause analysis, affected party notification, and post-incident review to prevent recurrence.

Verizap Technologies Pvt. Limited, the Indian company behind Filto, designs its infrastructure and data practices to comply with UK GDPR and EU GDPR where those regulations apply to EU/UK data subjects, as well as India's Digital Personal Data Protection Act 2023 (DPDP Act). For a full description of how we handle personal data, see our Privacy Policy and GDPR page.

Enterprise clients requiring a Data Processing Agreement (DPA), security questionnaire responses, or evidence of specific controls should contact us directly.

If you discover a potential security vulnerability in Filto's platform or infrastructure, please report it responsibly. Do not publicly disclose the issue until we have had the opportunity to investigate and remediate it.

Contact us via the support channel in your account or through our website contact form. We will acknowledge your report within 48 hours and keep you updated on our progress.

We appreciate responsible disclosure and will credit researchers who report valid vulnerabilities in good faith.