Security
Our approach
At Fotelya, security isn't an option: it's the foundation of the product. Your guests share easily, and you maintain control.
Measures in place
- Encryption of your media in transit and at rest.
- Private access : non-public galleries, accessible only via your QR or link, protected by a code (PIN), with non-guessable credentials.
- Hosting in the European Union, without transfer outside the EU by principle.
- Automatic deletion of media after the event: your data doesn't linger indefinitely.
- Minimization : no account required for guests, removal of geolocation metadata upon upload.
- Administrator access protected by two-factor authentication.
Responsible disclosure of vulnerabilities
If you discover a security flaw, we thank you for reporting it responsibly, privately, to security@fotelya.com, before any public disclosure.
We commit to: acknowledging receipt within a reasonable timeframe, reviewing each report in good faith, fixing confirmed vulnerabilities as quickly as possible, and not pursuing legal action against researchers acting in good faith (without accessing user data, without service disruption, without extortion).
Please do not access data that does not belong to you, do not degrade the service, and allow us a reasonable timeframe to fix issues before publication.
Machine-readable information
Our file security.txt (RFC 9116) centralizes our security contact points.
Contact
Security: security@fotelya.com · General: contact@fotelya.com.