Your data, locked down.

All data in transit is encrypted with TLS 1.3 (HTTPS). OAuth credentials and API keys are encrypted at rest using AES-256-GCM before they ever touch disk. We never store tokens in plaintext.

Each customer organization gets its own dedicated PostgreSQL database. Your data is never co-mingled with other customers’ data — not in the same table, not in the same database, not even in the same schema.

Passwords are hashed with argon2id (the current gold standard). Sessions use short-lived JWT access tokens signed with RS256 (2048-bit RSA), paired with secure httpOnly refresh cookies. No session data is stored in localStorage.

Custom roles with per-page view/edit/none permissions let you control exactly who sees what. System default roles (Admin, RevOps Manager, Marketing Analyst, Sales Manager, Viewer) are created for every new organization.

Elir runs on dedicated hardware (not shared cloud VMs) hosted by Hetzner in Falkenstein, Germany (EU). The server is protected by a strict firewall allowing only ports 22 (SSH), 80 (HTTP redirect), and 443 (HTTPS).

Root SSH login is disabled. Password authentication is disabled — key-only access. Automatic security updates are enabled via unattended-upgrades. fail2ban protects against brute-force attacks.

Full database backups run every night at 03:00 UTC. Backups are compressed and retained for 14 days. Restore has been tested and takes under 5 minutes for the full dataset.

We don’t use Google Analytics, Facebook Pixel, Hotjar, or any other third-party tracking scripts on the application. The only cookie we set is a secure, httpOnly authentication token. The landing site sets zero cookies.