IT Security Information — grouprides.cc

TL;DR for IT staff: grouprides.cc is an EU-based SaaS platform hosted on Digital Ocean (Frankfurt) and Vercel. Data is encrypted in transit via TLS 1.2+. Authentication is passwordless (Email + One-Time Code). Access is role-based with 4 internal admins. We rely on the certifications of our infrastructure providers (Vercel SOC2 Type 2, Cloudinary SOC2 Type 2 + ISO 27001, Digital Ocean). We do not use generic accounts or traditional passwords — we exclusively use OTP. If you require penetration testing, the costs are to be borne by your organization.

1. Company & Service Overview

grouprides.cc is a 360° SaaS platform for on- and off-bike events, demo days, digital waivers, and fleet management. The company is established in the European Union. The platform is operated by Grouprides UG (haftungsbeschränkt), Bogenallee 10, 20144 Hamburg, Germany. For security-related questions or incidents, contact: support@grouprides.cc.

2. Infrastructure & Hosting

The application is hosted across two primary providers:

• Frontend: Vercel (global CDN)
• Database & API: Digital Ocean App Platform, Frankfurt, Germany
• Image hosting: Cloudinary CDN (worldwide delivery)

All customer data is processed and stored within the European Union. No on-premise deployment exists. The infrastructure is fully cloud-based and container-managed. No direct SSH or console access to production systems is available. Changes to network configuration are handled declaratively through the Digital Ocean management interface.

All public network traffic is encrypted using TLS 1.2 or higher. Certificates are managed and automatically renewed via Let's Encrypt through the Digital Ocean App Platform. No plaintext communication is permitted.

3. Data Protection & Access Control

Data collected: First name, last name, email address, and event registration data. All payment information is handled exclusively by Stripe — no payment data is stored by grouprides.cc.

Data residency: European Union (Digital Ocean Frankfurt), with images served via Cloudinary CDN globally.

Access control: A role-based access control (RBAC) system is in place. Internally, only 4 core team members hold admin access. For customers, each Brand Admin can manage user roles within their own brand scope (Brand Admin / Brand Editor / Brand User).

Data anonymization: User data (first name, last name, email) can be anonymized by replacing it with fictitious names. Anonymized data is used for internal event statistics only.

Hard copies: The company operates fully digitally — no paper copies of sensitive data are produced.

Data deletion: Cryptographic deletion is supported via Vercel. Customer data does not leave the production system.

Third-party processors: Google Analytics (analytics), Mailjet (email), Stripe (payments). All are industry-standard vendors with established compliance certifications. For US-based subprocessors, data transfers rely on the EU–U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission.

Data Protection Officer: Handled by SiDIT Legal GbR, Würzburg.

Privacy policy: https://www.grouprides.cc/privacy

4. Authentication

grouprides.cc uses a passwordless authentication model exclusively. Users authenticate via Email + One-Time Code (OTP). There are no stored passwords, no generic accounts, and no shared credentials. This applies to both end users and internal systems.

Important note for IT assessors: We do not support traditional password authentication with minimum character requirements (e.g. 10 or 15 characters) or classic two-factor authentication flows, as these are replaced entirely by our OTP model. OTP by nature provides a strong, single-use, time-limited authentication factor that eliminates credential reuse, phishing of static passwords, and brute-force risks. Session cookies have a lifetime of 30 days. IP whitelisting for user authentication is not applicable given our public SaaS model.

Administrative access to platforms (GitHub, Vercel, Digital Ocean, Cloudinary) is secured with multi-factor authentication. Secrets and credentials are stored in encrypted environment variables — never in source code.

5. Vulnerability Management & Security Testing

Application security testing is performed internally by the development team. The CI/CD pipeline includes automated dependency and vulnerability scanning via npm audit. Integration tests verify proper enforcement of authentication and authorization across the application. API rate limiting is implemented to protect against abuse and denial-of-service scenarios.

Critical vulnerabilities are addressed immediately upon identification, with zero-downtime deployments in place. Infrastructure patch cycles are managed by Digital Ocean.

External penetration testing is available on request. If your organization requires a penetration test as part of vendor onboarding or compliance, this can be arranged — the costs are to be borne by the requesting organization. No public responsible disclosure path (e.g. security@) is currently published.

6. Secure Development Lifecycle (SDLC)

• Static code analysis via built-in linters and type checking
• Peer code reviews and branch protection on all changes
• Pull request workflow with mandatory review before merging
• Staging environment for pre-production validation
• Automated tests cover approximately 40% of production code
• Semantic versioning with Git-based version management
• Threat modeling is performed during the design phase
• Code changes are submitted via pull requests, tested via CI, and deployed via Vercel preview environments before production release
• Rollback capability exists on both Vercel and the Digital Ocean App Platform

Dependencies are tracked via package-lock.json and regularly updated. Third-party open source components are included via npm packages.

7. Incident Response

In the event of a confirmed security incident involving customer data, the designated customer contact will be notified within 72 hours of detection and confirmation, in accordance with GDPR Article 33. The team operates with a strong sense of urgency and direct customer communication — in practice, critical issues are escalated and communicated significantly faster. Notifications include a description of the incident, affected data, mitigation actions taken, and recommendations where applicable.

The incident response plan is reviewed annually through internal simulation or discussion-based exercises.

Security events are logged at both the application and infrastructure level using the built-in monitoring features of the Digital Ocean App Platform. Application logs capture authentication attempts, authorization events, and errors. Log retention is 7 days by default — extended retention is available on request.

8. Compliance & Certifications

grouprides.cc's internal policies and procedures are aligned with the key principles of GDPR. Rather than pursuing its own ISO 27001 or SOC2 certification, grouprides.cc deliberately relies on the strong compliance posture of its infrastructure providers:

• Vercel: SOC 2 Type 2 certified
• Cloudinary: SOC 2 Type 2 and ISO 27001 certified
• Digital Ocean: Managed platform with OS-level hardening, automatic security patches, container isolation, firewall, and DDoS protection

An internally managed Information Security Program (InfoSec SP) is in place, reviewed annually or after major platform changes. Automated vulnerability monitoring is integrated into the CI/CD pipeline, with critical issues flagged and remediated immediately. All personnel sign NDAs and confidentiality agreements as a condition of employment. An Acceptable Use Policy is part of mandatory onboarding. All team members are personally known and thoroughly vetted prior to joining — background verification is handled through direct assessment rather than formal third-party screening.

External audits are planned as the company scales to meet broader enterprise requirements.

8a. Data Privacy — Consent, Retention & Access

Consent Consent is obtained directly at the point of registration. Before completing sign-up, users are presented with the following explicit notice and must actively proceed to confirm:

"By continuing the process you agree to our Terms, the Waiver and how we handle your data per our Privacy Policy. If applicable, we will securely transmit your name and email address to the event organizer so you can participate and receive important information. The organizer may also contact you after the event. Yes, save my data, to submit the next Groupride even faster and create an account to manage my Grouprides."

Consent is therefore informed, specific, and unambiguous. The act of proceeding constitutes a clear affirmative action in line with GDPR requirements. The consent event is tied to the user's account creation and is documented as part of the registration record.

Data Retention & Deletion Data is retained for as long as a user maintains an active account. Upon account deletion, all personal data (name, email, associated records) is immediately and automatically hashed and rendered permanently unidentifiable. This process is fully automated — once triggered, the data cannot be recovered or accessed by grouprides.cc staff. There is no manual step required and no grace period delay. This ensures compliance with the right to erasure under GDPR Article 17.

For event-related data where the user has not deleted their account, data is retained only for as long as the original purpose (event participation, post-event communication) remains valid. Customers (brands) are responsible for managing their own communication practices within the bounds of the consent granted by users at sign-up.

Internal Access & Permission Concept Access to personal data within the grouprides.cc platform is strictly limited to a small number of internal admins. These individuals are selected with the utmost care — access rights are granted on an explicit need-to-know basis and are contractually anchored in employment and confidentiality agreements. The number of people with data access is kept to the absolute minimum necessary to operate and maintain the platform. Access rights are reviewed regularly, and any departure of a team member results in immediate revocation of all access. No personal data is accessible to third parties outside of the documented subprocessors (Stripe, Mailjet, Google Analytics) listed in section 3.

9. Transparency Overview

Last updated: November 2025. For security questions or incidents contact support@grouprides.cc