Legal

Aquadome BV builds software for maritime security and decision support. Protecting customer data and platform integrity is part of that mission — not an afterthought.

We organise security work around principles and control areas aligned with ISO/IEC 27001 — risk assessment, access control, secure operations, supplier management, and continuous improvement. That gives us a structured baseline we can explain and extend as the product matures.

We prioritise product development and rapid iteration. Controls are implemented pragmatically: strong where the risk warrants it, lightweight where speed matters and exposure is low. We revisit that balance as customers, contracts, and regulatory expectations evolve.

We have chosen not to pursue ISO 27001 certification yet. Product development and rapid iteration come first for now; we will revisit that decision as customer and contractual requirements change.

When we say practices are aligned with ISO 27001, we mean the standard guides how we work — not that an accredited body has audited or certified our Information Security Management System (ISMS).

If procurement needs formal assurance, tell us your requirements early so we can discuss roadmap and interim options (questionnaires, architecture summaries, or targeted controls).

Security decisions sit with the founding team. We maintain a practical view of assets (application, data stores, credentials, infrastructure), threats, and mitigations — updated when we ship major features or change hosting.

• Changes to production go through review and controlled deployment.
• Secrets and credentials live in environment configuration, not in source code.
• Third-party services are limited to what we need and chosen with data location in mind.

Access to the application is by invitation: sign-up is restricted to approved email domains and pre-approved addresses. Administrative capabilities are role-based.

• Authentication uses industry-standard session handling with server-side validation.
• Passwords must meet minimum length requirements; we encourage strong, unique passwords.
• Production databases and caches are not exposed to the public internet.
• Operational tools (e.g. log viewers) sit behind TLS and additional access controls.

Access is granted on a need-to-know basis and revoked when no longer required.

Our primary stack runs on infrastructure we operate in the European Union, with TLS for traffic to public endpoints. Core data services bind to localhost on the host — reachable via SSH tunneling for administration, not open database ports on the internet.

• Reverse proxy termination, automatic HTTPS, and hardened headers where applicable.
• Containerised services with minimal attack surface on the host.
• Backups and recovery procedures aligned with operational needs (tested periodically).
• Security-relevant logging for troubleshooting and incident review.

We patch dependencies and base images as part of ongoing development; critical issues are prioritised outside the normal release cadence when necessary.

The marketing site and application are separate surfaces with appropriate routing and session boundaries. Personal data practices are described in our privacy policy.

• Data in transit is protected with HTTPS/TLS.
• We avoid advertising trackers and unnecessary third-party scripts on the public site.
• Analytics for the marketing site use an EU-hosted provider with aggregate reporting.
• Contact and transactional email use providers configured for our EU footprint.

Customer or operational data handled in the product is processed only for the purposes described to users and customers — not sold or used for unrelated marketing.

We ship frequently. Security is woven into that rhythm rather than blocking it entirely:

• Type-checked, linted code with automated checks before merge.
• Dependency updates and vulnerability awareness as part of maintenance.
• Least-privilege defaults in application and infrastructure configuration.
• Feature work that touches auth, data export, or integrations gets extra scrutiny.

Formal change-advisory boards and lengthy release gates are intentionally light today; we compensate with direct ownership, small blast radius, and fast rollback paths.

We rely on a small set of processors for hosting, email, analytics, and similar functions. They are selected with security and — where relevant — EU data residency in mind. A fuller list of categories appears in the privacy policy; contractual terms require processors to protect data and use it only on our instructions.

If you discover a vulnerability or suspect unauthorised access involving our services, see our responsible disclosure policy or contact us at hello@aquadome.ai. We investigate credible reports, mitigate confirmed issues, and communicate to affected parties when appropriate.

No organisation can guarantee zero incidents; our commitment is to detect, contain, and learn from them.

As Aquadome grows — larger deployments, government customers, or contractual security schedules — we may tighten specific controls or pursue ISO 27001 certification when the time is right. This page will be updated when our posture materially changes.

Registered in Netherlands. For privacy-specific rights and data categories, see Privacy; for use of the platform, see Terms of use.