Hosting & location
Cloud systems operated by nueprice run in Germany with a German infrastructure operator. The German locations we use are ISO/IEC 27001:2022 certified.
Security
Security at nueprice
Cloud customers receive a dedicated, physically separate server in Germany. This page describes the concrete security controls for tenant separation, access, monitoring, backups, vulnerability management, development, and updates.
Overview
7 Controls
- Dedicated physically separate server per customer
- Hosted in Germany
- SAML2 SSO available
- Roles, policies, and API tokens
- Security monitoring with MITRE ATT&CK mapping
- Encrypted backups with restore validation
- SBOM and vulnerability management
Overview
Security controls at a glance
This overview summarizes the key safeguards across product, operations, and development processes. Detailed evidence can be provided as part of your security or data protection review.
Physical tenant separation
Each cloud customer receives a dedicated, physically separate server. Application, database, cache, sessions, persistence, and network segments are also separated per customer environment.
Identity & permissions
nueprice supports SAML2 SSO or password login, uses role-based permissions, and provides revocable API tokens.
Detection & transparency
Security, system, and availability events come together in a central overview: log alerts, CVE overview, server availability, file integrity checks, system inventory, and container events.
Backups & recovery
The backup process creates temporary database dumps, stores encrypted and deduplicated snapshots in separate repositories, and provides dry-run and configuration checks for operational validation.
Vulnerability management
Dependencies remain traceable through lockfiles and SBOM. Automated vulnerability alerts and a public disclosure policy structure review and reporting.
Architecture
Tenant separation and data flow
nueprice runs as a containerized web application. Separation does not start in database logic; it starts with a dedicated, physically separate server per customer.
Customer instance
Each managed customer environment runs on a dedicated, physically separate server and receives its own application instance with dedicated services.
- Dedicated physically separate server per customer
- Dedicated application runtime per instance
- Dedicated database per instance
- Dedicated cache, queue, and session services
- Separate network segments for application and reverse proxy
Network & TLS
Public access is routed through a reverse proxy and HTTPS; internal services are not directly public.
- Automated TLS certificates
- HTTP redirects to HTTPS
- Reverse proxy and application set security headers
- Host firewall restricted to required services
Data storage
Persistent data is stored in database and application volumes; files are stored privately.
- Private file uploads with accepted MIME types and size limits
- Encrypted storage of application secrets
- Customer and environment data is not stored in public buckets
Access
Identity, roles, and API access
Product security follows least privilege: users receive roles, roles contain concrete permissions, and critical actions are checked through policies.
SSO or password login
nueprice can connect to a SAML2 identity provider. With SSO, MFA, password rules, and joiner-mover-leaver processes can be enforced by your IdP. Password authentication is also available with secure password rules.
Granular roles
Permissions cover items, prices, scenarios, exports, publishing, settings, users, roles, secrets, price lists, and module-specific capabilities.
API tokens
API access uses personal tokens. Tokens are named per user, can be revoked, and show their last-used timestamp.
Operations
Hardening, monitoring, and recovery
Infrastructure is managed as code, keeping server roles, containers, firewalls, monitoring agents, and operational services reproducible.
Provisioning & hardening
Servers are configured through a standardized provisioning and hardening process. Firewall, runtime, logging, and operational services are configured reproducibly.
- SSH access via managed keys
- Firewall rules for required ports
- Daily updates of server and container components
- Central container logging
- Container deployment with health checks and non-root application runtime
Central security and availability monitoring
Security, system, and availability events are brought together and analyzed centrally so IT teams can see server access, log alerts, CVEs, server availability, and suspicious behavior patterns in one interface.
- Single-pane overview for server, container, and security events
- Server availability monitoring; responsible staff are notified immediately during outages
- CVE overview for installed packages and operating systems
- Alerts based on journald, auditd, and application logs
- Traceability of administrative access and IT personnel activity on servers
- Threat identification mapped to MITRE ATT&CK patterns
- File integrity monitoring and system inventory for critical system paths
Backups & restore
For managed environments, the concrete backup profile is defined in the operating concept. Backups are stored as encrypted, deduplicated snapshots in separate repositories.
- Encrypted, deduplicated backup snapshots in separate repositories
- Schedulable backups up to six times per day
- Configurable retention policies with windows up to five years
- Database dumps are created temporarily for the backup run and removed afterwards
- Dry-run and configuration checks are available for operational validation
Product controls
Traceability in the pricing process
nueprice protects more than infrastructure. The product itself prevents uncontrolled price changes and makes decisions traceable.
Four-eyes principle
Scenario and price approvals can be escalated to reviewers based on revenue, price, and margin criteria.
History and accountability
Price, scenario, and master data changes store creator, editor, review status, and timestamps.
Immutable publications
Published scenarios are protected against later editing; changes are made through new scenarios or new prices.
SBOM, vulnerability alerts, and version
Administrators can view the nueprice version and download a CycloneDX Software Bill of Materials for application and frontend dependencies. Automated alerts for known vulnerabilities in used dependencies are reviewed, prioritized, and incorporated into the update process.
Security FAQ
Answers to common review questions
Where is data hosted?
Cloud systems operated by nueprice are hosted in Germany with a German infrastructure operator. For on-premise installations, the respective customer environment requirements apply.
Is nueprice ISO 27001 certified?
The German data center locations used by the infrastructure operator are ISO/IEC 27001:2022 certified. This is an infrastructure certification, not a separate ISO certification of nueprice GmbH.
Which encryption is used?
Transport encryption uses HTTPS/TLS. Backups are stored encrypted. Application secrets are stored encrypted.
How does tenant separation work?
Each customer receives a dedicated, physically separate server. On that basis, managed customer environments use separated application, database, cache, and session services as well as separate network segments. Separation is therefore physical and architectural, not only logical table-level separation.
Which authentication and MFA options exist?
nueprice supports SAML2 SSO and password login. With SAML2, your identity provider controls policies such as MFA, conditional access, and account lifecycle.
How are vulnerabilities handled?
Security reports can be sent to security@nueprice.com. We usually acknowledge reports within 5 business days and, where possible, provide an initial assessment within another 10 business days.
How do you handle dependency vulnerabilities?
We keep dependencies traceable through lockfiles, provide an SBOM, and review automated alerts for known CVEs in used dependencies. Critical and high findings are prioritized, tested, and shipped as security updates; lower-risk findings flow into regular maintenance updates.
Which evidence can you provide?
Depending on the review context, we can provide architecture information, the Vulnerability Disclosure Policy, SBOM/CycloneDX export, infrastructure certification references, and customer-specific operating information.
How are AI features secured?
The AI assistant is optional and only available when a provider key is configured. Conversations are stored per user and can be deleted by users. Use of external AI providers is aligned with the customer-specific setup.
Reports
Report a vulnerability
If you discover a potential vulnerability, please report it responsibly. Use only your own data or test accounts and avoid tests that affect availability, integrity, or confidentiality.