Trust center
Honest, plain-English summary of UniMate's security posture. Built for university partners who need a real answer before they put students on the platform.
Encryption everywhere
TLS 1.3 in transit (HSTS preload, CAA-locked CA). Postgres at-rest encryption via Hetzner LUKS. Backups gpg-encrypted with offsite copy in EU.
Authentication
Argon2id password hashes, JWT access + refresh with Redis-backed blacklist, optional TOTP 2FA for admin/moderator. HIBP check on every password set.
Infrastructure
Single-region EU (Falkenstein, DE). Daily encrypted pg_dump → S3 with 30-day retention. Container-isolated services, no SSH keys checked in.
Data minimisation
We collect what we need to serve the product: email, nickname, schedule, notes, decks. AI memory is opt-in. No third-party trackers in the dashboard.
Hosting & jurisdiction
Servers in Germany (Hetzner). Legal entity UniMate AG in Switzerland. GDPR + Swiss FADP applies regardless of student location.
Cookies & analytics
Session cookie (HTTP-only, SameSite=Lax, secure). Plausible analytics (no IPs, no cookies). hCaptcha is loaded only on /register.
Third parties that may process student data on UniMate's behalf. Updates to this list are announced in thechangelogat least 14 days before they take effect.
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Hetzner | Hosting (EU, Falkenstein DC) | Encrypted DB + app servers | DE |
| DeepSeek | AI assistant — default model | Conversation content (opt-out via Privacy) | SG |
| OpenAI | AI assistant — Pro tier fallback | Conversation content (Pro only, opt-out) | US |
| ЮKassa | Payments processor (KZ/RU) | Card token, payer email, amount | RU |
| Cloudflare | CDN + DDoS protection | Cached static assets, IPs | US |
| Postmark | Transactional email (verify, magic) | Recipient address, message body | CA |
| Sentry | Error monitoring | Stack traces, user_id (no PII) | US |
| Plausible | Privacy-first product analytics | URL path, referrer (no IP, no cookies) | EE |
| hCaptcha | Bot prevention on /register | Captcha challenge token | US |
Found a vulnerability? Please email security@getunimate.com with details. We respond within 48 hours, fix critical issues within 7 days, and credit you in the acknowledgments below if you want.
Out of scope: DoS, social engineering of staff, physical attacks, third-party services. In scope: anything that lets a non-admin access another user's data, escalate privileges, or bypass billing.
Researchers who responsibly disclosed issues to UniMate.
No public reports yet. Be the first.
Universities and enterprise partners — email partnerships@getunimate.com for a signed DPA, ISO 27001 statement of applicability, and per-student data-flow diagrams.