The technical and organisational measures behind Focoose — Art. 32 GDPR, in plain language.
Last updated: 14 July 2026
This page describes what actually protects your data — including the limits. Focoose is run by a very small operation on its own hardware, and we would rather you know precisely what that means than read a page of borrowed enterprise vocabulary. What is written here is true; what is not here, we do not claim.
Your browser talks to Focoose over TLS (HTTPS), terminated by Cloudflare. From Cloudflare to our server, traffic travels through an encrypted Cloudflare Tunnel — the server accepts no inbound connections from the internet at all.
The consequence, stated rather than hidden: Cloudflare terminates TLS, so it can see traffic in the clear as it passes. The privacy policy covers what that means and the safeguard it rests on.
Mail we fetch from and send through your own mail provider uses the encryption your provider supports (IMAP/SMTP over TLS).
Your mailbox password, message bodies and attachments are encrypted with AES-256-GCM. The keys live in the server environment, not in the database — a copy of the database alone cannot read your mail.
What is not encrypted at rest, and why: subject lines, sender and recipient addresses (search and the Screener read them in the database), and your boards and focus points (protected by access controls — the database accepts connections only from the application, on a private network, on a machine only we can reach). Focoose is also not end-to-end encrypted, deliberately: the Screener and reminders require the server to read your mail. Weigh that before connecting a mailbox holding highly sensitive correspondence.
There are no passwords. You sign in with a one-time link that expires after 30 minutes, so there is no password database to steal, crack or reuse. Sessions ride in signed, HTTP-only cookies. The snooze links in reminder emails are signed too — one cannot be edited into acting on someone else's data.
The database is backed up nightly, and backups are kept for 30 days. Each backup is verified by actually restoring it — a backup nobody has restored is a rumour, not a safeguard.
The operator named in the Impressum, and nobody else. There are no employees, no contractors with production access, and no third parties beyond the ones listed in the privacy policy. Production access happens for operating the service — deploys, backups, debugging a fault you report — not for reading content.
If a breach puts your data at risk, we notify the supervisory authority within 72 hours (Art. 33 GDPR) and tell affected users directly and without undue delay (Art. 34) — what happened, what was affected, and what we are doing about it. You will hear it from us, not from the news.
Focoose runs on our own single server, not in a redundant data centre. That is why the Terms promise no SLA. We hold no SOC 2 report and no ISO 27001 certificate — at our size those would measure paperwork, not security. If your organisation needs a data processing agreement (Auftragsverarbeitungsvertrag, Art. 28 GDPR), email id@werkkasten.com — this page doubles as the plain-language version of its technical annex.