Ruum
SolutionsProductPricingDemo
Log inTry Ruum
Back to home

Security Policy

Version 1.0 · Last updated: 21 June 2026

On this page
  • 1. Principles
  • 2. Encryption and credentials
  • 3. Access control
  • 4. Infrastructure and hosting
  • 5. Logging and monitoring
  • 6. Backups
  • 7. Incident and breach management
  • 8. Responsible disclosure of vulnerabilities
  • 9. Limitations

This Policy summarises the technical and organisational measures that Ruum applies to protect information. It complements the Privacy Policy.

Table of contents

  1. Principles
  2. Encryption and credentials
  3. Access control
  4. Infrastructure and hosting
  5. Logging and monitoring
  6. Backups
  7. Incident and breach management
  8. Responsible disclosure of vulnerabilities
  9. Limitations

1. Principles

Ruum applies measures that are reasonable and proportionate to the nature of the Service to protect the confidentiality, integrity and availability of information, following a continuous-improvement approach.

2. Encryption and credentials

  • Passwords are always stored encrypted using hash functions (bcrypt), never in plain text.
  • One-time codes (OTP) and device fingerprints are stored encrypted using hashing.
  • Communications with the Service take place encrypted in transit (HTTPS/TLS).

3. Access control

  • Token-based authentication (JWT) and session management.
  • A trusted devices mechanism and an audit log of access events (OTP).
  • Roles and permissions per user, company and project, which limit access to information according to each person's role.

4. Infrastructure and hosting

  • Frontend: Vercel. Backend: Render. Database: Neon.
  • Ruum prioritises hosting in the European Union (mainly Frankfurt where possible).
  • Infrastructure providers apply their own professional-grade security measures.

5. Logging and monitoring

  • Logging of business events and errors for diagnostics and security.
  • Error monitoring via Sentry and product usage analytics via PostHog, in accordance with the Cookie Policy.

6. Backups

  • Periodic database backups are performed, with limited retention and rotation.

7. Incident and breach management

  • In the event of a personal data security breach that poses a risk to people's rights, Ruum will notify the competent supervisory authority (AEPD) without undue delay and, where feasible, within a maximum of 72 hours of becoming aware of it, and the affected individuals where the risk is high, in accordance with Articles 33 and 34 of the GDPR.

8. Responsible disclosure of vulnerabilities

If you detect a security vulnerability, report it responsibly to security@ruum.es. We ask that you do not disclose it publicly until we have been able to analyse and fix it.

9. Limitations

No security measure is infallible. Ruum cannot guarantee absolute security, but undertakes to maintain and improve reasonable measures in line with the state of the art and the risks of the processing.

On this page

  • 1. Principles
  • 2. Encryption and credentials
  • 3. Access control
  • 4. Infrastructure and hosting
  • 5. Logging and monitoring
  • 6. Backups
  • 7. Incident and breach management
  • 8. Responsible disclosure of vulnerabilities
  • 9. Limitations
Ruum

One workspace for your construction projects — budgets, projects and client communication, finally in one place.

Product
SolutionsProductPricingDemo
Legal
Legal NoticePrivacy PolicyCookie PolicyTerms and Conditions of UseAll legal documents
Company
Log inTry Ruum
Contact
info@ruum.es+34 634 630 020Burgos, Spain
© 2026 Ruum. All rights reserved.
Privacy PolicyTermsCookies