Security & Trust

This section describes the technical and organizational measures that protect customer data in Breeze. It is intended for procurement, security, compliance, and IT teams evaluating Breeze for use in their organization, and for partners answering security questions from their own end customers.

At a glance

• Backend — Microsoft Azure App Service (Norway East). Containerized Node.js, deployed via CI/CD.
• Database — MongoDB Atlas cluster on Azure Norway East. 3-node replica set, encrypted at rest and in transit.
• Frontend — Next.js application on Vercel. The frontend is a client-side rendering layer only — it does not store, persist, or proxy customer data. All reads and writes go directly from the user's browser to the Azure-hosted backend API.
• Data residency — All customer data resides in Norway.
• Authentication — Username/password with bcrypt hashing, multi-factor authentication, single sign-on via Microsoft Entra ID (OAuth 2.0; additional providers including SAML on request), OIDC via Signicat for national eID (Norwegian BankID, Swedish BankID, MitID), OAuth 2.0 for machine-to-machine integrations.
• Authorization — Role-based access control with multi-tenant isolation enforced at the API layer.
• Encryption — TLS 1.2+ in transit; AES-256 at rest in MongoDB Atlas, Azure Blob Storage, and Atlas backups; AES-256 field-level encryption for sensitive values such as MFA codes.
• Logging — Per-mutation audit events with full before/after state, IP, and session metadata, retained alongside the primary tenant data.

Compliance posture

Breeze's controls are aligned with ISO/IEC 27001 Annex A. Formal third-party certification is on the roadmap. Operations are conducted in accordance with the EU General Data Protection Regulation (GDPR), with all primary processing taking place inside Norway/EEA.

A Data Processing Agreement (DPA) is available. Sotera signs a DPA with each direct customer; in partner-led deployments, Sotera signs with the partner and the partner signs with the end customer.

Topics

• Data protection — encryption, hashing, residency, backups, PII minimization.
• Authentication and access control — passwords, MFA, SSO, sessions, RBAC.
• Network and infrastructure — Azure, Atlas, Vercel, regions, network controls.
• Audit and logging — audit events, application logging, security event capture.
• Application security — input handling, rate limiting, secrets management.
• Availability and resilience — high availability, backups, monitoring.
• Sub-processors — full list of third-party services that may process customer data.
• Compliance and data protection — GDPR, DPA model, data subject rights, retention.
• Vulnerability management — penetration testing, dependency hygiene, vulnerability disclosure.

Reporting a security issue

Please report suspected vulnerabilities or security incidents to security@sotera.no. We respond on business days and follow a coordinated-disclosure approach.