Our Security Commitment
At Emby.dev, security and compliance are not afterthoughts—they’re fundamental to everything we build. We understand that you’re trusting us with sensitive data and critical infrastructure, and we take that responsibility seriously.Infrastructure Security
EU-Hosted Infrastructure
All Emby.dev infrastructure is hosted exclusively in the European Union:- Primary Location: Netherlands 🇳🇱
- Hosting Provider: bit.nl - ISO27001 & NEN7510 certified
- Data Residency: All data remains within EU borders
- No US Cloud Providers: We don’t use AWS, GCP, or Azure for primary infrastructure
Certifications
Our infrastructure is certified with industry-leading security standards:ISO 27001
Information Security ManagementCertified information security management system ensuring comprehensive protection of data assets.View Certificate
NEN 7510
Healthcare Information SecurityDutch healthcare information security standard, ensuring highest level of data protection.View Certificate
GDPR Compliant
EU Data ProtectionFull compliance with EU General Data Protection Regulation, ensuring data privacy rights.
SOC 2 Type II
Service Organization ControlCurrently in progress - Expected Q2 2025
Data Security
Encryption
Data in Transit- TLS 1.3 for all API communications
- Perfect Forward Secrecy (PFS)
- Strong cipher suites only
- HSTS enabled on all endpoints
- AES-256 encryption for stored data
- Encrypted database backups
- Encrypted file systems
- Hardware security modules (HSM) for key management
Data Privacy
What We Store:- Account information (email, name, billing details)
- API usage metadata (timestamps, model used, token counts)
- Error logs for debugging (30-day retention)
- Billing records (7-year retention for tax compliance)
Access Controls
Internal Access- Role-based access control (RBAC)
- Principle of least privilege
- Multi-factor authentication (MFA) required
- Regular access reviews
- Audit logging of all administrative actions
- API key-based authentication
- Optional IP whitelisting
- Per-key rate limiting
- Granular permission controls
- Team member access management
Network Security
Infrastructure Protection
- DDoS Protection: Multi-layer DDoS mitigation
- Web Application Firewall (WAF): Protection against common attacks
- Intrusion Detection: 24/7 monitoring for suspicious activity
- Network Segmentation: Isolated environments for different services
- Zero Trust Architecture: Verify every request, trust nothing
API Security
- Rate Limiting: Per-key and per-IP rate limits
- Request Validation: Strict input validation and sanitization
- Authentication: Bearer token authentication
- Authorization: Fine-grained access controls
- Audit Logging: Complete audit trail of API usage
Compliance
GDPR Compliance
We are fully compliant with the EU General Data Protection Regulation: Data Subject Rights- ✅ Right to access your data
- ✅ Right to rectification
- ✅ Right to erasure (“right to be forgotten”)
- ✅ Right to data portability
- ✅ Right to restrict processing
- ✅ Right to object
- Lawful basis for all processing
- Data minimization principles
- Purpose limitation
- Storage limitation
- Integrity and confidentiality
Email: privacy@emby.ai
Response time: Within 48 hours
Industry-Specific Compliance
- Healthcare (HIPAA)
- Finance (PCI-DSS)
- Government
HIPAA Compliance AvailableFor healthcare applications, we offer:
- Business Associate Agreement (BAA)
- PHI encryption and access controls
- Audit logging and monitoring
- Breach notification procedures
- Regular compliance audits
Security Practices
Development Security
Secure Development Lifecycle- Security requirements in design phase
- Code review for all changes
- Static application security testing (SAST)
- Dynamic application security testing (DAST)
- Dependency scanning and updates
- Security-focused CI/CD pipeline
- Regular vulnerability scanning
- Automated dependency updates
- License compliance checks
- Supply chain security
Operational Security
Monitoring & Alerting- 24/7 security monitoring
- Real-time threat detection
- Automated incident response
- Security information and event management (SIEM)
- Log aggregation and analysis
- Documented incident response plan
- Regular incident response drills
- 24/7 on-call security team
- Breach notification procedures
- Post-incident reviews
- Automated daily backups
- Encrypted backup storage
- Regular recovery testing
- Geo-redundant backup locations (within EU)
- 99.9% data durability guarantee
Penetration Testing
Regular Security Assessments- Annual third-party penetration testing
- Quarterly internal security assessments
- Continuous vulnerability scanning
- Bug bounty program for responsible disclosure
- Rewards for security researchers
- Responsible disclosure policy
- Hall of fame for contributors
- Details at: https://emby.dev/security
Vendor Security
Third-Party Providers
We carefully vet all third-party providers: AI Model Providers- OpenAI (Azure) - SOC 2, ISO 27001
- Anthropic (AWS Bedrock) - SOC 2, ISO 27001
- Google (Vertex AI) - SOC 2, ISO 27001
- All providers GDPR compliant
- bit.nl - ISO 27001, NEN 7510
- Stripe (payments) - PCI-DSS Level 1
- All EU-based or GDPR compliant
Data Processing Agreements
- Data Processing Agreements (DPA) with all vendors
- Regular vendor security assessments
- Contractual security requirements
- Right to audit vendors
Security Transparency
Security Updates
We believe in transparent security:- Status Page: https://status.emby.dev
- Security Advisories: Published for all security incidents
- Changelog: All security updates documented
- Incident Reports: Post-mortem reports published
Security Contact
Report Security IssuesEmail: security@emby.ai
PGP Key: Available at https://emby.dev/pgp Response Time
- Critical issues: Within 4 hours
- High severity: Within 24 hours
- Medium/Low: Within 72 hours
Compliance Documentation
Available Documentation
For enterprise customers, we provide:- SOC 2 Type II report (when available)
- ISO 27001 certificate
- NEN 7510 certificate
- GDPR compliance documentation
- Data Processing Agreement (DPA)
- Business Associate Agreement (BAA)
- Security questionnaire responses
- Penetration test reports (summary)
Security Roadmap
Current (Q1 2025)
- ✅ ISO 27001 certified infrastructure
- ✅ NEN 7510 certified infrastructure
- ✅ GDPR compliance
- ✅ TLS 1.3 encryption
- ✅ 24/7 security monitoring
Upcoming (Q2 2025)
- 🔄 SOC 2 Type II certification
- 🔄 Enhanced DDoS protection
- 🔄 Advanced threat detection
- 🔄 Customer-managed encryption keys (CMEK)
Future (2025+)
- 📋 FedRAMP compliance (for US government)
- 📋 ISO 27017 (cloud security)
- 📋 ISO 27018 (cloud privacy)
- 📋 On-premise deployment options
Best Practices for Customers
API Key Security
Data Protection
- Encrypt sensitive data before sending to API
- Implement proper access controls in your application
- Follow principle of least privilege
- Regular security audits of your integration
- Monitor API usage for anomalies
Compliance
- Review our Terms of Service and Privacy Policy
- Implement proper consent mechanisms
- Provide privacy notices to your users
- Maintain audit logs
- Regular compliance reviews
Questions?
For security and compliance questions: General Security: security@emby.aiCompliance: compliance@emby.ai
Privacy: privacy@emby.ai
DPO: dpo@emby.ai
Security is a shared responsibility. While we provide secure infrastructure, you’re responsible for securing your API keys, implementing proper access controls, and following security best practices in your applications.