Skip to content
Security & encryption

Security & encryption at every level

As a lead generator, you run your entire operation (intake, matching, billing, payouts) on OXIAE. Security is therefore not a bolt-on feature, but woven into every layer of the platform you present under your own brand to publishers and buyers: from encrypted transport and storage to strict access control and complete logging.

On this page you’ll read exactly how that’s set up: where your data lives, how you manage access, how we develop securely, what happens if something goes wrong, and how back-ups and recovery work. No vague promises, just explainable measures you can confidently walk your own customers through.

GDPR-compliant EU data residency Full audit trail

Layers of security

Protection builds up in four layers, present by default in your platform. Each layer stands on its own; together they form one seamless whole. A single weak link is absorbed by the layers around it.

Layer 1

Transport

All communication within your platform runs encrypted over TLS. Data travelling between form, API and dashboard never crosses the network unprotected.

Layer 2

Storage

Data is stored encrypted with AES-256. Even at the disk level, sensitive data belonging to your publishers and buyers stays unreadable without the right keys.

Layer 3

Access

Access runs through roles, least-privilege and MFA, all configured by you. Every team member and every partner sees only what their own task requires, nothing more.

Layer 4

Monitoring & logging

A complete audit trail records every processing action across your platform, with detection of anomalous use so incidents surface quickly.

What comes standard in your platform

Security isn’t a switch you flip on: it’s the default the moment you go live. These measures are built in for every processing action, regardless of which brand you run, what volume you handle, or which buyer you serve.

Want to see how processing is recorded traceably? Take a detailed look at the audit trail.

  • Encrypted transport TLS on every connection, from intake to buyer.
  • Encrypted storage Data at rest protected with strong encryption.
  • Least-privilege access Permissions per role, limited to what is strictly necessary.
  • Audit logging Every processing step traceable and exportable.
  • Tested back-ups Encrypted back-ups with geographic separation and periodic restore testing.
  • Separated environments Development, test and production data kept strictly apart.
Data location & hosting

Your data stays in the European Union

Personal data and requests that come in through your platform are stored and processed within data centres in the European Union, with the Netherlands as the primary region. We deliberately choose data residency in the EU, so you don’t have to lean on transfer mechanisms for countries outside the EEA.

The underlying infrastructure runs at established European infrastructure providers that themselves hold recognised security certifications. We remain the processor throughout: the data is and stays yours and your customers’, we only manage the environment in which it is processed securely. How this ties into privacy, legal bases and retention periods is covered on GDPR.

  • Storage in the EU: primary region the Netherlands, no default storage outside the EEA.
  • Data residency: processing and back-ups stay within European data centres.
  • Recognised infrastructure providers: hosted with parties holding demonstrable security certification.
Access management in detail

Who can do what, and how you enforce it

Access is the most sensitive layer of any system. As operator, you arrange it explicitly, verifiably and with as few permissions per person as possible, for your own team as well as the publishers and buyers working on the platform.

Roles & least-privilege

You decide exactly which permissions each role gets, nothing more than the task requires. A form administrator sees different screens than a buyer or a finance owner inside your organisation. Permissions are assigned centrally, never ad hoc per person.

MFA & SSO

Two-factor authentication (MFA) is available by default and can be enforced across your whole organisation. Working with your own identity provider? Connect single sign-on (SSO) via SAML or OIDC, so onboarding and offboarding stay centrally managed on your side.

Periodic access reviews

Access rights don't expire on their own, which is why you evaluate them structurally within the platform. Each review checks whether a role is still appropriate, and lets you revoke accounts of departed staff before they become a risk.

Logging of access

Not only changes, but also the viewing of personal data is recorded. Who looked at which request and when is therefore traceable after the fact: an indispensable link for your accountability towards publishers, buyers and regulators.

All access and changes come together in the audit trail, so you not only know who has access, but also what was actually done with it.

Back-up & recovery

Recoverable, not just backed up

A back-up is only worth something if you can actually recover with it. That’s why we test not just that we back up, but also whether restoring works in practice: your operation should never be down longer than necessary.

Frequency

Automated, encrypted back-ups run daily, with shorter intervals for critical data. That keeps the loss from an incident limited.

Geographic separation

Back-ups are kept in a location other than the production environment, within the EU, so a single outage never affects both data and back-up.

Restore test

We periodically run a restore trial and monitor recovery targets, so restoring stays not theory but a practised process.

Secure development & testing

Security starts with the code

Most breaches don’t come from weak encryption, but from mistakes in software and neglected dependencies. That’s why secure development is a fixed part of how we build the platform you run on.

Separated environments

Development, test and production are strictly separated from one another. Real personal data never ends up in test or development environments.

Mandatory code review

No change goes live without review by a second developer. That way we catch mistakes and risky patterns before release to your platform.

Dependency & vulnerability management

External libraries are continuously scanned for known vulnerabilities; critical updates are applied with priority.

Periodic pentests

Independent parties regularly test the platform for weak spots. Findings are prioritised and demonstrably followed up.

Incident response

If something does go wrong, what matters most is how quickly and methodically we respond. We work according to a fixed playbook, from first signal to statutory notification, so you as operator always know where you stand.

01

Detection

Monitoring and logging flag anomalous behaviour and potential incidents across your platform. Automated alerts put the right team into action immediately.

02

Escalation & assessment

An incident is classified by impact and scope. A fixed accountable team takes the lead and determines the steps to be taken.

03

Notification to you

In the event of a data breach affecting your platform or your customers, we inform you as the data controller without undue delay, with the facts you need for publishers and buyers.

04

Regulator notification within 72 hours

Where the law requires it, we support your notification to the supervisory authority within 72 hours, and in the case of high risk also the data subjects.

Standards framework & certification

Honest about where we stand

We build the platform according to the principles of internationally recognised standards such as ISO 27001 and the SOC 2 framework: risk-driven information security policy, access management, change management, logging and incident handling. Our infrastructure providers are certified for their services.

We don’t make claims we can’t back up: where a formal certification is still in progress, we say so honestly. Need specific documentation for a tender or due diligence from your own customers? Request it via ricardo@oxiae.com, or take a look at the trust center for security, status and responsible disclosure in one place.

Last updated on 12 March 2026.

Frequently asked questions about security

The questions lead generators ask us most often before running their lead operation on OXIAE.

Where exactly is our data stored?

In data centres within the European Union, with the Netherlands as the primary region. We deliberately choose data residency in the EU, so there is no default transfer to countries outside the EEA. Back-ups also stay within European data centres.

How is the data protected, in transit and at rest?

All connections run encrypted over TLS, and data at rest is encrypted with AES-256. As a result, data stays unreadable to anyone without the right keys, both in transit over the network and on disk.

Who can view the lead data in our platform?

Only people with a role for which access is strictly necessary, based on least-privilege and configured by you as operator for your own team, publishers and buyers. MFA is available by default and SSO is possible via your own identity provider. Access is logged and periodically reviewed, so permissions don’t linger unnoticed.

What happens in the event of a data breach?

We follow a fixed incident playbook: detection, escalation and assessment, notification to you as the data controller, and where the law requires it a notification to the supervisory authority within 72 hours. In the case of high risk, data subjects are informed as well.

Are you ISO 27001 or SOC 2 certified?

We build according to the principles of ISO 27001 and the SOC 2 framework, and our infrastructure providers are certified for their services. Where our own formal certification is still in progress, we say so honestly. Specific documentation for due diligence from your own customers is available on request.

How can I be sure a processing action happened as agreed?

Every processing step and every access comes together in your platform’s audit trail. It is transparent and exportable, so you can account for it to publishers, buyers and regulators without having to take our word for it. Take a look at the audit trail for the details.

Security in figures

Security you can demonstrate

AES-256
Encrypted storage at rest
TLS
Encrypted transport on every connection
72 hours
Framework for regulator notification on a breach
100% EU
Data location within the European Union

Security you can demonstrate

Book a demo and see how encryption, access management and the audit trail come standard in your platform, or request specific documentation.