Security and compliance at BioLedger


We require all employees and any contractors that work with us to sign a confidentiality agreement and comply with our cybersecurity policy.

We review our cyber security policy every quarter, train our team on security regularly and onboard new members of our team through the security procedures.

We enforce a device management policy (using passwords with set entropy, using password management tools, locking screen when leaving the desk, using disk encryption, enabling remote lock of laptops and smartphones).

Our employees and contractors must report all actual or suspected IT security incidents.

By default, our employees and contractors don't have access to user data. Exceptions can be made for customer support and technical team (in specific cases).


including Amazon Web Services (AWS) and Google Firebase. Those providers set the global standard for robust security mechanisms which protect our infrastructure.

We change private keys and algorithms used to encrypt production data systematically.

ur user's data is backed up on a daily basis and stored securely in separate containerised instances of the same infrastructure.

Our networking infrastructure (routers, load balancers, DNS servers,...) also run in the cloud.

All communications are performed through end-to-end HTTPS encryption.

Access to our network is strictly controlled using a VPN with network access control lists (ACL) and IP whitelisting.

Our inbound and outbound network traffic is monitored and controlled using firewalls and IP whitelisting.

We are using solutions to monitor the performance of our platform and log errors in our service.

We are using separate environments for testing and production.


Your documents and data are stored and hosted in Europe (Ireland) which ensures that all data handling is in line with GDPR rules.

All data coming to or sending from our infrastructure is encrypted in transit using Transport Layer Security (TLS 1.2).

All our user data is encrypted in transit using HTTPS and logically isolated.

We are anonymizing, or we do not transmit sensitive data to our sub-processors.

Application security

We are following OWASP security best practices to protect our solution.

We are strictly controlling who has access to our source code.

We restrict access to production data to authorized support staff members only and protect it by 2FA and VPN access.

We are monitoring (both manually and automatically) and updating our dependencies to make sure none of them has know vulnerabilities.

We review our code systematically for security vulnerabilities. We employ two full time, third party, Quality Assurance and Security Testers according to practices typically employed in testing of banking applications regulated by the UK Financial Conduct Authority.


GDPR is a regulation put in place in the EU since 2018. The goal of this regulation is to protect the data of users of internet services.

Data privacy is one of our top priorities. For this reason, we put all our efforts to be fully compliant with the GDPR regulation. We have detailed some of our actions to ensure we're compliant on a dedicated section of our knowledge base.

Payment information

We do not conduct any payments inside the app, therefore we do not store any payment information.