This page covers how Jaws Deploy handles your data and the controls we apply to the platform. The legal entity behind the product is Jaws Deploy AS (Org.nr 933 925 935), registered in Norway and operating in the EU. For anything not covered here, contact admin@jawsdeploy.net.
At a glance
Quick reference for procurement and security reviewers.
- EU-hosted (Dusseldorf, Germany) - data does not leave the EU.
- TLS 1.2+ in transit. Secret variables encrypted at rest with AES-256 (per-organisation keys).
- GDPR compliant. DPA available on request.
- OIDC available for Jaws Deploy Stack.
- No SOC 2 or ISO 27001 today - Stack lets you bring your own compliance perimeter.
Where your data lives
Jaws Deploy Cloud is hosted in Dusseldorf, Germany. Production data, deployment metadata, release history, encrypted secrets, and audit logs all reside in EU data centers and are not transferred outside the EU under normal operation. Jaws Deploy Stack runs entirely on infrastructure you control - no deployment data ever reaches our servers.
How data is protected
All traffic to Jaws Deploy is encrypted in transit using TLS 1.2 or higher with HSTS enforced. Secret-type variable values are encrypted at rest in the database using AES-256, with a unique encryption key per organisation. Packages uploaded to Jaws Deploy are stored in Azure Blob Storage, which applies AES-256 server-side encryption at rest to all stored objects. Service accounts authenticate via API keys scoped to workspace permissions.
Operational security
Daily automated backups with 30-day retention. Uptime is monitored around the clock by BetterStack, which alerts the on-call team immediately on any service disruption. Security patches are applied on a rolling basis; critical patches are fast-tracked outside the normal cycle.
Incidents are acknowledged within one business day. Outages affecting service availability are resolved within four hours in most cases. Critical incidents are broadcast in Jaws Deploy community Slack channels. Real-time service status is published at status.jawsdeploy.net. Planned maintenance windows are announced by email to active customers in advance.
Compliance posture
Jaws Deploy follows GDPR. We do not currently hold SOC 2 or ISO 27001 certification - for teams that require those today, Jaws Deploy Stack lets you run the platform inside your own compliance perimeter and inherit your existing certifications.
Sub-processors
Third-party services that may process customer data on our behalf.
- Hosting: Hetzner Online GmbH (Dusseldorf, DE)
- Package storage: Microsoft Azure (Primary: Germany West Central, Secondary: Germany North)
- Uptime monitoring: BetterStack (EU)
- Cookie consent: Cookiebot / Cybot (Denmark, EU)
- Customer chat: Crisp (France, EU)
- Bot protection: Google reCAPTCHA (US)
- Transactional email: Mailgun (Region EU)
Data Processing Agreement
Our standard Data Processing Agreement is available as a downloadable PDF in the footer. For controller-to-controller scenarios or custom terms, email admin@jawsdeploy.net.
Reporting a vulnerability
Found a security issue? Email admin@jawsdeploy.net with details. We acknowledge reports within one business day and will keep you informed as we investigate. Please do not publicly disclose the issue until we have had a reasonable opportunity to address it.
Company details
Jaws Deploy ASOrg.nr 933 925 935Grenseveien 101406 Ski, Norwayadmin@jawsdeploy.net