1. Infrastructure and hosting
The InnoMotus website and marketing infrastructure is hosted on servers located within the European Union. We do not use US-based cloud providers for any processing of personal data submitted through this website.
Our stack runs on self-managed Docker containers behind an nginx reverse proxy with TLS termination. The production environment is isolated from development environments. Container images are built from minimal, audited base images (nginx-alpine).
Specific hosting provider details are available to prospective customers and partners on request — contact security@innomotus.eu.
2. Encryption and transport security
All connections to InnoMotus properties are encrypted using TLS. We enforce the following security headers on every response:
- Strict-Transport-Security — HSTS with a 12-month max-age, includeSubDomains, and preload. Downgrades to HTTP are refused.
- Content-Security-Policy — restricts script, style, font and image sources to our own origin. No third-party scripts load without explicit policy.
- X-Frame-Options: DENY — prevents clickjacking via iframe embedding.
- X-Content-Type-Options: nosniff — prevents MIME-type sniffing.
- Referrer-Policy: strict-origin-when-cross-origin — limits referrer data leakage.
- Permissions-Policy — disables geolocation, microphone, camera and payment APIs.
Static assets (fonts, images, CSS) are served with long-duration cache headers and immutable directives. All font and image files are self-hosted — no external CDN requests are made that would leak visitor IP addresses to third parties.
3. Sub-processors
The following sub-processors may handle personal data in connection with the InnoMotus website and products. We maintain data processing agreements with each where required under GDPR Art. 28.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| EU-based server hosting provider | Website and infrastructure hosting | EU (Germany) | EU-based; no international transfer |
| Tink AB (Banklify only) | PSD2 open banking connectivity — bank account data for Banklify subscribers | EU (Sweden); regulated under PSD2 | EU-based; Tink is an EBA-licensed AISP/PISP. Tink's own DPA and security posture apply to bank-account data. Tink legal centre ↗ |
| Form processor (contact form) | Receiving and forwarding contact form submissions | EU or US (provider-dependent) | SCCs where outside EEA; submissions are routed to hello@innomotus.eu and not retained by the processor beyond delivery |
This list is kept under review as the product portfolio grows. The most current version is available on request via privacy@innomotus.eu.
4. Cookies and tracking
This website sets only strictly necessary cookies — specifically, a single cookie that stores your consent preference. No analytics cookies, advertising cookies, or third-party tracking scripts are loaded.
We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any equivalent tracking technology. No data is sent to advertising platforms.
Full details: Cookie Policy →
5. Data you submit through this website
When you use the contact form on this site, we collect your name, work email, company, role, and the message you submit. This data is:
- Transmitted over TLS to our form processor and forwarded to hello@innomotus.eu.
- Used solely to respond to your enquiry.
- Retained for up to 24 months from last contact, then deleted.
- Not sold, shared with advertising platforms, or used for any purpose other than responding to your enquiry.
To request deletion of your data, email privacy@innomotus.eu with the subject line "Data deletion request". We will action it within one month and confirm in writing.
6. GDPR and data protection contacts
The data controller is Camel Thorn Capital B.V. (KvK 97690481), trading as InnoMotus Technologies, Ankerkade 61, 2102 LP Heemstede, Netherlands.
For all data protection matters — subject access requests, deletion requests, complaints, or DPA queries — contact: privacy@innomotus.eu.
We have assessed that the appointment of a Data Protection Officer is not currently required under Art. 37 GDPR given the nature and scale of our processing. This assessment is reviewed annually.
You have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens ↗
7. Incident response
In the event of a personal data breach, our procedure is:
- Detection and containment: Affected systems are isolated. The scope and nature of the breach is assessed.
- Notification to the supervisory authority: Where required under Art. 33 GDPR, we notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware.
- Notification to affected individuals: Where a breach is likely to result in high risk to individuals, we notify them without undue delay under Art. 34 GDPR.
- Post-incident review: Root cause analysis and remediation steps are documented.
To report a suspected security incident or vulnerability: security@innomotus.eu. Our responsible disclosure policy is published at /.well-known/security.txt.
8. Access controls and internal practices
Access to production systems is restricted to authorised personnel only, using key-based authentication. Passwords are never stored in plaintext. Production and development environments are separated. Dependencies are reviewed on an ongoing basis for known vulnerabilities.
We do not store or log personal data submitted through the contact form beyond what is necessary for delivery to the intended recipient.
9. Security roadmap
The following items are on our security roadmap and will be implemented as the business scales:
- Formal penetration test by an accredited third party
- SOC 2 Type II assessment
- ISO 27001 certification
- Formal vulnerability management programme
- Customer-facing trust portal with real-time uptime and incident history
We believe in being honest about where we are in this journey rather than overstating our current posture. If you have specific security requirements for a procurement decision, contact us — we will answer directly.
10. Contact
Security matters: security@innomotus.eu
Privacy and data protection: privacy@innomotus.eu
General: hello@innomotus.eu