Security Policy

TOTP MFA (Time-based One-Time Password) is mandatory for Godia administrator accounts, recommended and enabled for all client portal accounts (activation via Profile → Security). 6-digit code verification required at each login. Compatible with Google Authenticator, Authy, Microsoft Authenticator. 10 recovery codes generated upon activation. For SSO users (Google / Microsoft), MFA is delegated to the organization's identity provider.

OAuth2/OIDC via Google and Microsoft, Authorization Code PKCE flow.

Three native roles: Owner (organization owner, full access), Admin (administration and configuration), Member (operational). Each member additionally has 8 configurable granular permissions (canViewAnalytics, canManageAgents, canViewConversations, canViewProspects, canManageTeam, canManageBilling, canExportData, canViewCopilot) allowing read-only or custom profiles to be defined. The canExportData permission is required for SIEM export, verified server-side (HTTP 403 if absent).

Daily automatic job: warning at 60 days of inactivity (INACTIVITY_WARNING event in the SIEM). Automatic revocation of all sessions at 90 days (GDPR Art. 32 / DORA Art. 9). Each event timestamped in the audit trail.

TLS 1.2 / 1.3 enforced on all connections. HTTPS mandatory, HSTS enabled (max-age=31536000; includeSubDomains; preload). HTTP automatically redirected to HTTPS.

Sensitive data (CRM credentials, OAuth tokens, prospect files): application-level AES-256-GCM encryption before persistence. User passwords: bcrypt 12 rounds hash. PostgreSQL database: at-rest encryption at the infrastructure level (Neon). Backups: AES-256.

RS256, automatic rotation every 7 days. Primary key + backup key maintained for multi-instance high availability. Immediate revocation via LRU cache of invalidated tokens. Never transmitted in clear text.

AES-256-GCM master key (32 bytes, scrypt-derived) managed as an environment secret on the Railway platform (SOC 2 Type II). Annual planned rotation (Q4); immediate rotation on triggering event (suspected compromise, leak, forensic audit). Internal procedure documented covering preparation, backup, application-level re-encryption, Railway update, verification, destruction and audit trail.

Format godia_live_<base64url-32bytes> (or godia_test_ for the test environment): only the SHA-256 hash is persisted in database. The clear-text key is displayed only once at creation, never stored or recoverable.

Global: 3,000 req / 15 min per IP (sliding window). Login: 5 attempts / 15 min, automatic temporary 30-minute block. API v1: 1,000 req / hour per key. SIEM Export: 10 exports / hour per organization. Copilot mutations (POST / PATCH / DELETE): 60 req / min / IP.

HSTS (max-age=31536000; includeSubDomains; preload), X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Content-Security-Policy active with default-src 'self', object-src 'none', base-uri 'self' and restrictive frame-ancestors ('self' on portal, * on widgets for voluntary cross-domain integration). unsafe-inline is currently tolerated for the portal Vite/React stack; migration to nonce-based CSP planned in the security maturity roadmap. X-Frame-Options: DENY on the entire portal and API. The header is not sent on widget routes; cross-domain embedding is governed exclusively by CSP frame-ancestors. Restrictive Permissions-Policy (camera=(), geolocation=(), payment=(), usb=(); microphone=(self) allowed only for the optional Voice Agent feature).

Synchronized token + server-side validation on all mutating routes. Systematic session regeneration at login (anti-fixation). GET requests are exempt.

Strict whitelist of authorized origins. Only the chat widget APIs are intentionally open to allow integration on customer websites.

4 tables not modifiable through the interface: auth_events (logins, MFA, revocations), 90-day retention. access_logs (sensitive data access, admin actions), 90-day retention. client_activity_logs (portal actions), 30-day retention. alert_history (security alerts), 90-day retention.

JSON and CSV format from the client portal, compatible with Elastic, Splunk, QRadar, Microsoft Sentinel. Filters by period and event type. Server-side organization isolation. canExportData permission required. Anti-exfiltration rate limit: 10 exports / hour.

5 active alert rules in the SIEM engine: brute force login attempts, CSRF violations, tenant isolation violations, invalid token attempts, suspicious activity. Plus a daily dedicated job for prolonged inactivity detection (60d / 90d). Immediate email notification via Mailjet upon trigger.

npm audit automatically run on every push and pull request via GitHub Actions (workflow security-audit.yml), and weekly scheduled (cron Monday 6am UTC). The pipeline fails if a High or Critical severity vulnerability is detected. JSON report archived 30 days.

Critical: 48h / High: 7 days / Medium: 30 days / Low: next release.

Internal OWASP Top 10:2025 + OWASP LLM Top 10 audit performed (February 2026, updated April 2026). Score 100/100, full compliance. Report available upon request under confidentiality agreement.

Internal security tests performed at each major release. External penetration test by a certified third party not scheduled at this stage; may be considered as the security maturity roadmap evolves.

Official program available on our dedicated page. Reporting via legal@godia.ai (response SLA: 48h for any reported vulnerability).

Zod (strict TypeScript schemas) on 100 % of backend routes. Systematic rejection of data not conforming to the expected schema.

Drizzle ORM, parameterized queries only. No SQL string concatenation in the codebase.

Systematic code review on every pull request before merging to production. Validation by automated tools integrated into the CI pipeline (security ESLint, npm audit, integration tests). For critical changes (authentication, multi-tenant isolation, cryptography), additional validation by a technical third party before deployment.

Railway environment variables, never in source code or Git repository. OAuth and CRM credentials encrypted with AES-256-GCM before persistence. Annual MASTER_KEY rotation (Q4) and immediate rotation on security event.

Production and development environments separated, distinct database and environment variables. No cross prod/dev access. The implementation of a dedicated staging environment is included in the maturity roadmap.

Contractual RTO (Recovery Time Objective): 4 hours (worst case, full restoration from artifacts). Typical automatic application restart observed via Railway: < 15 minutes (common application incidents, no human intervention). RPO (Recovery Point Objective): 24 hours, aligned with the frequency of Neon backups (sub-hour point-in-time restoration in practice for application incidents). Plan for full failover tests with measured RTO/RPO under formalization for H2 2026.

99.5 % monthly guaranteed, 99.9 % contractually negotiable. See our full SLA. Real-time status: status.godia.ai.

Daily encrypted AES-256 backups, managed by Neon. Retention according to subscribed Neon plan. EU multi-zone replication.

In case of incompatibility or error on a Mistral model, automatic fallback between models (small / medium / large). In case of total Mistral API unavailability, existing data (conversations, prospects, analytics) remains accessible; explicit error messages returned, no silent fallback to another provider. The LLM abstraction layer integrated in the code allows a subsequent switch to an alternative provider on operational decision.

Detection via SIEM alerts, internal qualification, customer notification (4h SLA for critical incidents), remediation, post-incident report (PIR).

Available in the client portal: creation, tracking and closure from the interface. Each incident documented with timeline, impact and corrective measures.

Documented procedure: notification to the competent supervisory authorities (CNIL France, CNPD Luxembourg) within 72 hours in case of personal data breach (GDPR Art. 33). Email notification to affected organizations via Mailjet, triggered from the administration portal.

L1: in-app ticket from the portal. L2: support@godia.ai. L3: technical management. L4: security emergency legal@godia.ai (4h SLA for critical incidents).

Formalized data protection impact assessment (DPIA-GODIA-2026-001 v1.1, April 2026), 5 documented processings: (1) AI Conversations, (2) Prospect data, (3) Authentication & SIEM logging, (4) Developer API keys, (5) Email reading and sending via Copilot (Gmail / Microsoft 365). GDPR Art. 22 clarification: no automated decision with legal effect, all email sending is conditional on explicit human validation. Available upon request to legal@godia.ai. Next review: April 2027.

Formal and operational register covering 6 ICT providers under DORA Art. 28: Railway (application infrastructure), Neon (database), Mistral AI SAS (AI engine, France), Mailjet/Sinch (transactional emails, France), Google LLC (OAuth + Gmail API for Copilot), Microsoft Corporation (OAuth + Microsoft Graph API for Copilot). Available upon request. Next review: October 2026.

Post-incident reports accessible from the client portal, integrated incident reporting, tracking and closure from the interface. Compliant with DORA Art. 11 (incident management).

JSON/CSV from the portal, compatible with market SIEM tools (Elastic, Splunk, QRadar, Microsoft Sentinel).

Data processing agreement available for signature before any contractual relationship begins. Contact: legal@godia.ai.

Contractual commitment: complete data export provided upon request within 30 days in case of termination. Definitive data deletion within 60 days after end of contract (except legal retention obligation). No proprietary lock-in: standard PostgreSQL, data exportable in JSON/CSV via the portal. Per-ICT-provider details documented in the DORA register.