· Security
Passport, supporting documents, ID photos, payment data. Here is concretely how Visamundi protects this information, where it is stored, and who can access it.
Independent audit
In 2026, independent firm BonjourCyber audited the cybersecurity of our infrastructure and applications. Verdict: passed with no major reservation. An external review — because trust is proven, not claimed.
Independent cybersecurity audit passed with no major reservation.
What we process
To produce a visa, ETA, or arrival card, certain documents are mandatory. We never ask for more than what the consular administration requires.
Passport
Scan or photo of the ID page. Used to pre-fill the consular form.
ID photo
Format required by the destination. Auto-cropping if needed.
Travel documents
Plane ticket, hotel booking, accommodation proof. Required by some countries.
Personal information
Civil status, profession, address — to fill the official form.
Payment
Card or SEPA. No card number is stored with us: everything transits encrypted via Stripe.
Previous visas
Pages of previously obtained visas, if the destination requires history. Storage limited to the file duration.
Technical measures
No jargon, no vague promises. Here's exactly what protects your data at every step.
All stored data is AES-256 encrypted on disk. Attachments (passports, photos) sit on private object storage, never publicly accessible.
TLS 1.3 mandatory on all connections. HSTS enabled on all our domains. No data travels in clear text, even internally between our services.
Databases and storage hosted within the European Union (France and Germany). No transfer outside the EU for traveler data.
Mandatory 2FA for our team. Role-based access (RBAC): an agent only sees files they're assigned to. All accesses are logged.
We only collect what is strictly necessary for your formality. Data is erased or anonymized as soon as the legal retention period ends.
Access logs kept 12 months, quarterly security review, automated vulnerability scanning on infrastructure and application code.
Under the hood
Full transparency on our infrastructure providers. All our subprocessors are GDPR-compliant and host data within the EU (or rely on Standard Contractual Clauses for the rare exceptions).
Managed PostgreSQL, AES-256 encryption at rest, Row Level Security enabled.
Edge functions and CDN, TLS 1.3 enforced, Let's Encrypt certificates auto-renewed.
Card numbers never reach our servers. Tokenization on Stripe's side.
Customer and support notifications. DKIM/SPF/DMARC active on all domains.
$ Vulnerability Disclosure
We welcome good-faith security reports. No public bug bounty, but we acknowledge every useful report and prioritize fixes — always within a legal framework that protects you.
it@visamundi.coHow to report
Email it@visamundi.co. Describe the issue type, the URL or feature affected, steps to reproduce, and estimated impact.
In scope
All our visamundi.co and visamundi.app domains, the public API, and partner SaaS. Out of scope: third-party services (Stripe, Supabase, Netlify) — report those to them directly.
Not accepted
Noisy automated scans, social engineering against our teams, denial of service, unauthorized access to real traveler data. Use test accounts.
Safe harbor
Good-faith research compliant with this policy will not be prosecuted. We commit to keeping you informed on fixes and crediting you if you wish.
