Skip to content

Security

Last updated: February 2026

Setso handles sensitive production data — crew contact details, shooting locations, daily schedules, and sustainability metrics. We take that responsibility seriously.

1. Infrastructure

Setso runs on EU-based cloud infrastructure ([provider, region]). All data is stored within the European Union.

  • Encryption in transit — All connections are encrypted using TLS 1.2 or higher. Every page, every API call, every notification — HTTPS everywhere.
  • Encryption at rest — Database storage and file uploads are encrypted using AES-256.
  • Backups — Automated daily backups with point-in-time recovery, stored within the EU. Tested regularly.

2. Access Control

  • Role-based access — Producers, ADs, department heads, cast, and crew each see only what's relevant to their role. A camera operator doesn't see the full crew list. An actor doesn't see the shooting schedule.
  • Admin controls — Production administrators manage who has access to what. Permissions can be adjusted or revoked at any time.
  • Authentication — Passwords are hashed using industry-standard algorithms. Sessions are managed securely with automatic expiry.

3. Development Practices

  • All code changes are reviewed before deployment
  • Dependencies are monitored for known security vulnerabilities
  • Staging and production environments are fully separated
  • We conduct regular security assessments and address findings promptly

4. Incident Response

We have a documented incident response plan. In the event of a data breach that affects your personal data, we will:

  1. Contain the breach and assess its scope
  2. Notify affected users within 72 hours
  3. Report to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) as required by GDPR
  4. Provide clear guidance on any steps you should take

5. Data Ownership & Portability

Your data is yours. You can export it at any time through the Setso app in standard formats. If you close your account, your data is permanently deleted after a 30-day grace period. See our Privacy Policy for full details on data retention.

6. Responsible Disclosure

If you discover a security vulnerability in Setso, we'd appreciate your help in disclosing it responsibly. Please report it to security@setso.com with as much detail as possible. We commit to:

  • Acknowledging your report within 48 hours
  • Working with you to understand and resolve the issue
  • Not pursuing legal action against good-faith security researchers

7. Contact

Questions about our security practices? Contact security@setso.com