Security and trust

Security is handled for you. Your apps run isolated, your data stays in the EU, and you own all of it.

Dockhold is built so you don't have to think about the security plumbing. HTTPS, encryption, isolation, and an audit trail are on by default, the same way for a weekend project and a production app. This page is the plain-language version of what that means. The full legal detail lives in our privacy notice.

Where your data lives

Dockhold is operated by a company based in Germany, and your apps and databases run on infrastructure hosted in the EU (German data centers). Your app data does not leave EU hosting. Where we rely on a provider outside the EU for a specific function, that transfer is covered by EU Standard Contractual Clauses. The full list is in the table below.

Every app runs isolated

Each app runs in its own isolated environment, separated from every other customer at the network level. One tenant cannot see or reach another tenant's app, traffic, or data. Each app gets its own HTTPS URL, and its own managed database when you enable one.

Encrypted in transit and at rest

Every Dockhold URL is HTTPS, with certificates issued and renewed automatically. There is nothing to configure and no certificate to remember to renew. Traffic to your app is encrypted in transit, and your data and secrets are encrypted at rest using industry-standard encryption.

Secrets stay secret

API keys, tokens, and passwords go in the encrypted Vault, kept apart from your code and your repository. Vault values are encrypted at rest, bound only to the apps you choose, and injected into your app at runtime as environment variables. They are never written into your build, never exposed to other tenants, and never logged. See environment variables and secrets for how to use them.

A tamper-evident audit log

Security-relevant actions on your account are recorded in an audit log where each entry is cryptographically linked to the one before it. That chaining makes the log tamper-evident: if a past entry were altered or removed, the chain no longer verifies. On the Scale plan the audit log is exportable, so you can keep your own copy for compliance.

Private when you want it

Apps are public by default. Flip an app to private and every request must present a valid access token, checked at the edge before your app is reached. It's the right fit for internal tools, staging, and admin dashboards. See private apps for the details.

How you sign in, and what we touch on GitHub

You sign in with GitHub. For private repositories you can grant access through the Dockhold GitHub app, which is scoped per repository, read-only, and uses short-lived access. Dockhold reads your code to build it and never writes to your repositories: no commits, no status checks, no comments. We surface build and deploy results on your dashboard instead.

You own your data

Your code and data are yours. You can delete an app at any time, and its data is removed when you do. You can request deletion of your whole account, which we complete within 30 days. Under the GDPR you can also request a copy of your personal data or have it corrected. To exercise any of these, write to [email protected].

Who processes data for us

These are the providers that process data on our behalf. Each is bound by a data processing agreement and, where it sits outside the EU, by EU Standard Contractual Clauses. The authoritative version, with purposes and links, is in our privacy notice.

Data processing agreement (DPA)

If you process personal data through Dockhold for your business, the GDPR (Article 28) requires a data processing agreement between you (the controller) and us (the processor). It sets out what we may do with that data, our security duties, and the subprocessors above. We provide a DPA on request: email [email protected] and we'll send it over.

Have a security question that isn't covered here? Write to [email protected].