Security isn't an afterthought at Shodaku. Every feature is built with privacy controls, audit trails, and compliance requirements in mind from day one.
Core security pillars that protect your data at every layer.
TLS encryption for all data in transit. Credentials encrypted at rest. Served from Cloudflare's global edge network with built-in DDoS protection.
Passwordless magic link authentication. No passwords to steal or leak. Tokens are SHA-256 hashed, one-time use, and expire after 15 minutes. Rate-limited to prevent abuse.
Role-based access with admin and member roles. Session management with device visibility and one-click revocation. Automatic 30-day session expiry.
Built-in controls that give you and your users full visibility and control over personal data.
Every action is tracked with actor, IP address, and timestamp. Queryable and filterable by org admins. Retained for 2 years. Fire-and-forget design ensures logging never blocks operations.
Self-service JSON export of your profile, requests, decisions, and audit logs. Available directly from your account settings. Exports are available for download for 7 days.
Tokenized deletion flow via email confirmation. Cascading removal of all personal data including requests, decisions, and org memberships. Immediate and irreversible.
View all active sessions with IP address, device info, and login time. Revoke all other sessions with one click. Sessions expire automatically after 30 days.
Scheduled jobs automatically purge expired authentication tokens, old data exports, and audit logs past the 2-year retention period. No manual intervention required.
How Shodaku's built-in controls map to GDPR and APPI requirements.
| Framework | Area | How Shodaku addresses it |
|---|---|---|
| GDPR Art. 15 | Right of access | Self-service data export in JSON format |
| GDPR Art. 17 | Right to erasure | Account deletion with cascading data removal |
| GDPR Art. 20 | Data portability | JSON export of all personal data |
| GDPR Art. 25 | Privacy by design | Passwordless auth, minimal data collection |
| GDPR Art. 28 | Processors | Subprocessor list with DPA commitments |
| GDPR Art. 32 | Security | Encryption, access controls, audit logging |
| APPI Art. 23 | Security measures | Audit logs, session management, encryption |
| APPI Art. 33 | Disclosure | Self-service data export |
Built on trusted, enterprise-grade infrastructure providers.
Global edge hosting with built-in DDoS protection
Managed database on Cloudflare's network
Transactional email delivery
X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy, Permissions-Policy (camera, microphone, geolocation disabled)
Your data is stored on Cloudflare's global edge network, with primary infrastructure in the United States. See our Subprocessors page for full details.
Yes. You can export all your personal data — profile, requests, decisions, and audit logs — as a JSON file directly from your account settings. No need to contact support.
All your personal data is cascading deleted immediately, including requests, decisions, and organization memberships. The deletion is confirmed via a tokenized email link for security.
There are no passwords. Shodaku uses magic link authentication exclusively. This eliminates an entire class of security risks including credential stuffing, password reuse, and phishing for credentials.
Audit logs are retained for 2 years. After the retention period, they are automatically purged by a scheduled cleanup job.
We're happy to discuss our security practices, provide documentation for enterprise reviews, or answer any questions about how we protect your data.
Contact Us