Security & compliance
Open source. European storage. No backdoors.
Our apps run inside Nextcloud — an EU-sovereign, open-source platform. We add functionality; you stay in control of your data.
What we do
- Open source under AGPL-3.0 — code openly verifiable on GitHub. No telemetry, no hidden network calls.
- EU hosting — our infrastructure runs in the Netherlands (Hetzner Falkenstein/Helsinki); your own Nextcloud instance can run anywhere.
- Nextcloud-native — uses Nextcloud's existing auth, ACL and encryption features. No second user store or separate database for most apps.
- No US cloud dependencies — no S3, no Cloudflare, no Google Fonts. Self-hosted fonts, our own DNS, our own registries.
- Code-signing — releases to the Nextcloud App Store are cryptographically signed.
Responsible disclosure
Found a vulnerability? Please report it to us privately before going public.
- Email: security@voxcloud.nl (PGP key on request)
- First response: within 2 business days
- security.txt: /.well-known/security.txt
Compliance status
VoxCloud is a small team. We grow our processes gradually around proven open-source standards:
- GDPR — as processor (your Nextcloud) and as supplier (licence server, marketing domain). DPA available.
- NIS2 / national e-government guidelines — our apps add no extra attack surface beyond Nextcloud itself; control requirements fall to your Nextcloud provider.
- ISO 27001 alignment — we are not ISO-certified (small team), but we follow the relevant controls. Nextcloud itself is ISO 27001-certified.
Architectural choices
- FormVox: all data stored in files (no separate database) — backups follow your normal Nextcloud flow.
- MetaVox: metadata stored as sidecar files (`.metavox.json`) next to your documents — no lock-in.
- RoomVox: uses Nextcloud's CalDAV server — no separate calendar infrastructure.
Questions?
For a security questionnaire or audit report: email info@voxcloud.nl.