Shelf™|
Migrate
Shelf Logo

Security

At Shelf, we prioritize the security of your data and have implemented robust measures to protect your information.

Our Approach to Security

Security is foundational to how we build and operate Shelf. We handle asset data for teams across industries — from universities to contact centers to media production companies — and we take that responsibility seriously.

We are not yet SOC 2 or ISO 27001 certified. We are transparent about that. What we can tell you is that our infrastructure, processes, and engineering practices are closely aligned with these frameworks, and certification is on our roadmap as we scale.

If your organization requires a security review before adopting Shelf, we are happy to walk you through our practices in detail — get in touch.

Infrastructure Security

Secure Architecture

  • Cloud infrastructure hosted in the EU (Frankfurt)
  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for all data at rest
  • Server-side database connections with standard authentication protocols

Access Control

  • Single Sign-On (SSO) integration
  • Role-based access control
  • Organization-level permission management
  • User access managed through your identity provider

Compliance Alignment

We have designed our security practices to align with widely recognized compliance standards:

  • SOC 2 (Type II) — Our controls around data access, availability, and confidentiality follow SOC 2 principles. Formal certification is planned.
  • ISO 27001 — Our information security management practices are modeled after ISO 27001 requirements.
  • GDPR — Shelf infrastructure is EU-hosted (Frankfurt). We process data in accordance with GDPR principles, including data minimization, purpose limitation, and the right to erasure.

We do not yet hold formal third-party certifications for these standards. If your procurement or compliance team needs specifics, reach out to us directly — we are happy to provide detailed answers.

Monitoring & Response

We utilize automated monitoring systems to alert our team about potential security events. Our technical team is ready to investigate and respond to security concerns.

Open Source Transparency

Shelf is open source. Our codebase is publicly available on GitHub, which means our security practices are open to inspection by anyone. This level of transparency is rare in asset management software and is something we take pride in.

Data Sovereignty & Self-Hosting

Shelf gives you full control over where your data lives:

  • Self-host anywhere — Deploy Shelf on your own infrastructure using Docker and Supabase. Your data never leaves your network.
  • EU-hosted cloud — Our managed cloud runs in Frankfurt (EU), with data residency guarantees.
  • Open source codebase — Audit every line of code. No vendor lock-in, no black boxes.
  • SSO integration — SAML 2.0 and SCIM support for enterprise identity management.

For organizations with strict data compliance requirements, self-hosting Shelf means zero third-party data exposure. Learn more about self-hosting →

Reporting Security Issues

If you discover a potential security vulnerability, please contact us immediately: nikolay@shelf.nu

Questions?

For detailed security information, compliance questionnaires, or specific questions from your IT or procurement team — contact us or email nikolay@shelf.nu. We typically respond within the same business day.