Legal
Infrastructure Controls
The physical and logical controls that protect the infrastructure Serpentine runs on.
Hosting and data residency
Serpentine is EU-hosted by default. Primary compute and storage run in Frankfurt, Germany, with backup and failover in Amsterdam, Netherlands. Hosting partners maintain ISO 27001 and SOC 2 Type II certifications. We do not transfer customer personal data outside the European Economic Area unless required by law and with appropriate safeguards in place.
Physical security
- Data centers with 24/7 on-site security, CCTV, and biometric access control
- Multi-factor physical access controls and visitor logging
- Redundant power, cooling, and network connectivity
- Environmental controls and fire suppression
Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption for data at rest
- Encrypted backups with separate key management
- Keys managed through a dedicated key management service with rotation
Access control
- Least-privilege access enforced for all production systems
- Mandatory multi-factor authentication for staff
- Just-in-time, audited access to production environments
- Quarterly access reviews and immediate deprovisioning on role change
Hardening and monitoring
- Servers hardened against CIS benchmarks—the same controls Serpentine applies for customers
- Centralized logging, continuous monitoring, and alerting
- Automated vulnerability scanning and patch management
- Network segmentation between environments
Resilience
- Automated, encrypted backups with regular restore testing
- Multi-region failover between Frankfurt and Amsterdam
- Documented incident response and business continuity plans
Related pages
See our Security overview and our Trust Center for certifications and control mappings.