Security and trust

Security is not a feature.
It is the foundation.

Tuurio ID is built around standards-based authentication, encryption, tenant-scoped isolation, and audit-ready operations for European teams.

PKCE

Authorization flow

AES-256

Encryption

ISO 27001

Datacenter Frankfurt

SLA 99,5%

Business/Enterprise

Security architecture

Every layer is protected from infrastructure to authentication.

Infrastructure

Google Cloud in the Frankfurt region (europe-west3) with ISO 27001-certified infrastructure.

  • Google Cloud, Frankfurt region (europe-west3)
  • Cloud SQL PostgreSQL, AES-256 at rest
  • TLS 1.3, WAF, DDoS protection
  • Spring Security 7 (Kotlin)
  • Automated backups, point-in-time recovery

Authentication & authorization

OAuth 2.0 Authorization Code + PKCE with modern MFA options.

  • OAuth 2.0 Authorization Code + PKCE (S256)
  • MFA: TOTP + WebAuthn/Passkeys (FIDO2)
  • Social Login: Google, Microsoft, Apple, GitHub
  • Enterprise SSO: SAML 2.0
  • Custom permissions & roles (JWT claims)
  • Email domain restrictions

Protection measures

Redis-based rate limiting and progressive lockout on all auth endpoints.

  • Redis-based rate limiting (per endpoint)
  • Brute-force protection with progressive lockout
  • CAPTCHA triggers on suspicious activity
  • CSRF/XSS protection (Spring Security)

Audit and forensics

Tamper-proof audit logs for compliance and incident response.

  • Tamper-proof audit logs
  • 20+ event types (login, MFA, admin, token)
  • X-Correlation-ID tracing
  • Webhook notifications
  • Audit log export (CSV/JSON)
Tracing guide

Availability

SLA-capable operation for business-critical applications.

  • Continuous uptime monitoring
  • SLA 99.5% (Business/Enterprise)
  • Automatic backups
  • Zero-downtime rollouts

Encryption & signing

AES-256 at rest, TLS 1.3 in transit, Argon2id hashing, RS256 signing.

  • AES-256 encryption at rest
  • TLS 1.3 in transit
  • Argon2id password hashing (64 MB, OWASP)
  • RS256 JWT signing, tenant-specific JWK rotation

Multi-tenant architecture

Tenant-scoped isolation in data access, configuration, and issuer handling.

Tenant isolation

Every SQL query is scoped to the tenant. Cross-tenant access is architecturally prevented.

  • DB-level isolation via Hibernate Filters
  • Every query scoped to tenant_id
  • Cross-tenant access architecturally prevented
  • All tenant data in EU (Frankfurt)

Tenant-specific configuration

Each tenant has its own subdomain, branding and cryptographic keys.

  • Dedicated subdomain per tenant
  • Tenant-specific JWK source & key rotation
  • Individual branding & config
  • Isolated permission & role model

Developer security

Secure-by-default integration for your application.

Token validation

RS256-signed JWTs with public JWKS endpoint for offline validation.

  • JWKS endpoint for cryptographic validation
  • RS256 signing algorithm
  • Configurable token lifetime & refresh
  • PKCE enforcement (no implicit flow)

Integration security

Strict validation ensures secure OAuth flows out of the box.

  • Strict redirect URI matching
  • State parameter validation
  • Standard OIDC discovery
  • No vendor lock-in (standard protocols)

Incident response

Transparent processes for security incidents and vulnerability reports.

Security contact & disclosure

We take security vulnerabilities seriously. Report issues responsibly.

  • Security contact: security@tuurio.com
  • Responsible disclosure policy
  • Incident response within 24 hours
  • Transparent status communication

Compliance and standards

Compliance that truly matters for European teams.

DSGVO

GDPR-ready operations

EU hosting, configurable data processing terms, and audit trails support GDPR-oriented operating models.

NIS2

NIS2-oriented (Art. 21)

MFA, audit logs and forensic tracing support NIS2-related evidence obligations.

ISO

ISO 27001 datacenter

Operation in Frankfurt am Main with certified datacenter infrastructure.

MoR

Merchant-of-Record model

Structured billing with tax-clean setup for international usage.

Technology standards

OAuth 2.0 OpenID Connect WebAuthn / FIDO2 SAML 2.0 Spring Security 7 Kotlin PostgreSQL Redis PKCE (S256) RS256 / JWKS Argon2id AES-256 TLS 1.3 REST API Webhooks

5 languages with automatic detection

Deutsch (DE) English (EN) Francais (FR) Italiano (IT) Espanol (ES)

Security you can trust.

PKCE, passkeys, audit-ready tracing, and EU hosting. Start with the controls you can verify.

Start for free View NIS2