Security & Compliance

How FreeMaint handles your data, your audits and your safety standards

FreeMaint is a free CMMS hosted in the European Union and built on a strict multi-tenant architecture. This page summarizes our compliance posture (GDPR, HIPAA-ready, OSHA, ISO), our security controls and the data-residency options available across tiers.

Compliance posture

FreeMaint operates against four families of standards. None of them require any additional configuration on Core (free forever) — they are baked into the product.

  • GDPR / RGPD (EU 2016/679). Production data hosted in France (OVHcloud GRA), self-service erasure at /delete-account, 30-day retention on server error logs (Bugsink), Data Processing Agreement available on paid tiers.
  • HIPAA-ready (45 CFR §164.312). Per-user access control, immutable audit logs on every work-order and asset event, e-signature on completion, encryption at rest and in transit, Business Associate Agreement available on Enterprise ($299/mo flat).
  • OSHA 29 CFR 1910.147 + EN ISO 14118. The LOTO (Lockout/Tagout) module enforces standard-aligned consignation: a locked asset cannot be cleared for completion until the matching unlock event is recorded by an authorized user. Lock type, padlock number, applier and timestamps are part of the immutable audit trail.
  • ISO 55000 family. Asset criticality, lifecycle cost, MTBF, planned-vs-unplanned ratio reports exportable as PDF/CSV/JSON starting on Business ($99/mo flat).

Security controls

  • Encryption

    TLS 1.3 in transit, AES-256 at rest on the managed PostgreSQL instance and the Object Storage bucket holding attachments.

  • Multi-tenancy

    Every entity carries a companyId, every query filters on it inside an authentication-enforcing interceptor. No shared resource between tenants.

  • Authentication

    bcrypt password hashing (cost 12), 2-hour JWT, httpOnly refresh cookie, Google & Apple SSO, SAML SSO on Enterprise.

  • RBAC

    Permission-based, not role-name-based. Each company can edit its roles and create custom ones. Multi-role assignment per user, scope filters (ALL / ASSIGNED / TEAM).

  • Rate limiting

    Per-IP and per-token quotas on REST and GraphQL endpoints. SSH brute-force protection via Fail2ban (3 attempts, 24-hour ban) at the infrastructure layer.

  • Error monitoring

    Self-hosted Sentry-compatible error tracker (Bugsink), 30-day retention. Logs strip the fields password, token, authorization and cookie before forwarding.

  • Backups

    Daily encrypted PostgreSQL backups via pgbackweb. Cross-region replication on the Enterprise tier.

  • Vulnerability scanning

    Daily Docker image CVE scanning via Trivy. Dependency vulnerability monitoring via GitHub Dependabot.

  • Incident response

    As your data processor, we notify affected customers without undue delay and within 72 hours of confirming a data breach, with the information needed to meet your own statutory notification deadlines (GDPR Art. 33, US state breach laws).

Data residency & deployment

  • Default — EU. All data on OVHcloud Public Cloud, GRA region (France). Suitable for any tier.
  • Enterprise — choose your region. EU, US, or Asia residency on $299/mo flat. Cross-region backup and dedicated environment.
  • On-premise — full sovereignty. Quote-based license (one-time setup fee + annual subscription) for self-hosting on your own infrastructure. Caddy + Watchtower auto-update, 7-layer defense, license server callback for entitlement only (no customer data leaves the perimeter).

Reporting a security issue

Email security disclosures to contact@freemaint.com. We acknowledge within 24 hours and target a 7-day resolution for verified high-severity reports.

FAQ

Is FreeMaint GDPR / RGPD compliant?

Yes. FreeMaint is built and operated in accordance with the EU General Data Protection Regulation. Production data is hosted in the European Union (OVHcloud, France), every account ships with a self-service "Delete my account" flow that triggers full erasure including soft-deleted rows. Server error logs flow to a self-hosted Sentry-compatible tracker (Bugsink) with 30-day retention and stripping of password, token, authorization and cookie fields. A GDPR-aligned Data Processing Agreement is available for paid tiers on request at contact@freemaint.com.

Does FreeMaint support HIPAA workflows?

FreeMaint is HIPAA-ready, not HIPAA-certified. The product ships the technical safeguards required by 45 CFR §164.312: per-user access control, immutable audit logs on every work-order and asset event, e-signature on completion, encryption at rest and in transit, and forced password rotation. A Business Associate Agreement is available on Enterprise ($299/mo flat) for healthcare facilities that need to formalize the controls.

What lockout-tagout standards does the LOTO module enforce?

The Lockout/Tagout (LOTO) module enforces compliance with OSHA 29 CFR 1910.147 (US) and EN ISO 14118 (EU). When an asset is locked, the system blocks any work order completion against that asset until the matching unlock event is recorded by an authorized user, logs the lock-type (mechanical, electrical, hydraulic, pneumatic, thermal), padlock number, applier and date. The audit trail is immutable.

Where is FreeMaint data hosted?

By default, customer data is hosted in the European Union on OVHcloud Public Cloud (GRA region, France). Backups run daily via pgbackweb to an OVH Object Storage bucket in a separate region. Enterprise customers ($299/mo flat) can choose data residency in the EU, US, or Asia. On-premise deployment (on a quote basis: one-time setup fee + annual subscription) is also available for full data sovereignty.

How is data isolated between companies?

FreeMaint is strictly multi-tenant. Every database row (work orders, assets, locations, parts, users, files) carries a companyId column, and every Prisma query, REST endpoint and GraphQL resolver filters on that column inside an authentication-enforcing interceptor. There is no shared resource between companies, and a fine-grained RBAC layer (permission keys, not role names) governs what each user can read or write inside their own tenant.

How are passwords and authentication tokens stored?

Passwords are hashed with bcrypt (cost factor 12) and never stored in plaintext or returned by any API. JWT access tokens are short-lived (2 hours) and never persisted server-side. Refresh tokens are httpOnly, Secure, SameSite=Strict cookies. SSO via Google and Apple is available, and SAML SSO ships on Enterprise. Server-side error logs strip the fields password, token, authorization and cookie before forwarding to Sentry.

Does FreeMaint produce ISO 55000-aligned asset reports?

Yes. The asset management module emits the reports required by the ISO 55000 family of standards (asset register, criticality, lifecycle cost, mean time between failures, planned vs unplanned maintenance ratio). Reports are exportable as PDF and CSV, and the API exposes them as JSON for integration with corporate BI tools. ISO 55000-aligned reporting is included starting on the Business tier ($99/mo flat).

How does FreeMaint exercise the right to be forgotten?

Any account holder can permanently erase their account from /delete-account. The flow removes the user record, anonymizes their authored events (work orders, comments, time logs) per GDPR Art. 17, purges S3 attachments, invalidates all sessions and confirms erasure by email. Company-wide deletion (all users, all data) is available on request from the company admin and processed within 30 days.

Is customer data encrypted at rest?

Yes. Data is encrypted both in transit and at rest. In transit, all traffic uses TLS 1.3. At rest, file attachments in object storage are encrypted server-side with AES-256, the managed PostgreSQL database and its volumes are encrypted with full-volume LUKS/AES encryption keyed per customer project, and backups are encrypted and stored on separate OVHcloud infrastructure. Passwords are bcrypt-hashed (never reversible) and sensitive application secrets are AES-256-GCM encrypted. All data is hosted in the EU (OVHcloud, France).

What happens if there is a data breach?

FreeMaint acts as your data processor. If we confirm a personal-data breach affecting data we process for you, we notify you without undue delay and within 72 hours, with the nature of the breach, the categories and approximate number of records and people affected, the likely consequences, and the remediation taken. This 72-hour commitment is set out in our Data Processing Agreement (Article 9) and comfortably meets the deadlines that breach-notification laws place on a processor — including GDPR Article 33 and US state laws such as Florida’s FIPA (Fla. Stat. § 501.171), which gives a third-party agent up to 10 days. You then have what you need to notify affected individuals within your own statutory window. Request the DPA at contact@freemaint.com.

More on the FreeMaint pricing model and what is included on each tier: /pricing. For a Data Processing Agreement, BAA, or audit questionnaire, write to contact@freemaint.com.