Security Policy

TOTP (Time-based One-Time Password) available for all client portal users. Activation via Profile → Security. Once enabled, verification of a 6-digit code is required at every login. Compatible with Google Authenticator, Authy, Microsoft Authenticator. 10 recovery codes generated upon activation.

OAuth2/OIDC via Google and Microsoft, Authorization Code PKCE flow. MFA for SSO users is delegated to the organization's identity provider.

Three native roles: Owner (organization owner, full access), Admin (administration and configuration), Member (operational). Each member additionally has configurable granular permissions (canViewAnalytics, canManageAgents, canViewConversations, canViewProspects, canManageTeam, canManageBilling, canExportData, canViewCopilot) allowing read-only or custom profiles to be defined. The canExportData permission is required for SIEM export, enforced server-side (HTTP 403 if missing).

Daily automated job: warning at 60 days of inactivity (INACTIVITY_WARNING event in the SIEM). Automatic revocation of all sessions at 90 days (GDPR Art. 32 / DORA Art. 9). Each event is timestamped in the audit trail.

TLS 1.2 / 1.3 enforced on all connections. HTTPS mandatory, HSTS enabled (max-age=31536000; includeSubDomains; preload). HTTP automatically redirected to HTTPS.

Sensitive data (CRM credentials, OAuth tokens, prospect files): application-level AES-256-GCM encryption before persistence. PostgreSQL database: AES-256 at infrastructure level (Neon). Backups: AES-256.

RS256, automatic rotation every 7 days. Primary key + backup key maintained for high availability across multiple instances. Immediate revocation via LRU cache of invalidated tokens. Never transmitted in clear text.

Format godia_live_<base64url-32bytes> (or godia_test_ for the test environment): only the SHA-256 hash is stored in the database. The plain key is shown only once at creation, never stored or recoverable.

Global: 3,000 req / 15 min per IP (sliding window). Login: 5 attempts / 15 min, automatic 30-minute temporary block. API v1: 1,000 req / hour per key. SIEM export: 10 exports / hour per organization.

HSTS (max-age=31536000; includeSubDomains; preload), X-Content-Type-Options: nosniff, strict Content-Security-Policy enabled on all responses. X-Frame-Options is set to DENY for the client portal (anti-clickjacking) and ALLOWALL for chat widgets to allow intentional cross-domain embedding on customer websites (governed by CSP frame-ancestors).

Synchronized token (sessionStorage) + server-side validation on all mutating routes. GET requests are exempt.

Strict whitelist of authorized origins. Only chat widget APIs are intentionally open to allow integration on customer websites.

4 tables non-modifiable through the interface: auth_events (logins, MFA, revocations), 90-day retention. access_logs (sensitive data access, admin actions), 90-day retention. client_activity_logs (portal actions), 30-day retention. alert_history (security alerts), 90-day retention.

JSON and CSV format from the client portal, compatible with Elastic, Splunk, QRadar, Microsoft Sentinel. Filters by period and event type. Server-side isolation per organization. canExportData permission required. Anti-exfiltration rate limit: 10 exports / hour.

5 active alert rules in the SIEM engine: login brute-force attempts, CSRF violations, tenant isolation violations, invalid token attempts, suspicious activity. In addition, a dedicated daily job detects extended inactivity (60d / 90d). Immediate email notification via Mailjet upon trigger.

npm audit automatically executed on every push and pull request via GitHub Actions (security-audit.yml workflow), and on a weekly scheduled basis (cron). The pipeline fails if a vulnerability of High or Critical severity is detected. JSON report archived for 30 days.

Critical: 48h / High: 7 days / Medium: 30 days / Low: next release.

External pentest by a certified third party scheduled for H2 2026. Internal security testing performed at every major release.

Official program available on our dedicated page. Reporting via legal@godia.ai (response SLA: 48h for any reported vulnerability).

Zod (strict TypeScript schemas) on 100% of backend routes. Systematic rejection of data not conforming to the expected schema.

Drizzle ORM, parameterized queries only. No SQL string concatenation in the codebase.

Systematic on every pull request before merge to production.

Railway environment variables, never in source code or the Git repository. OAuth and CRM credentials encrypted with AES-256-GCM before persistence.

Production and development environments separated, with distinct databases and environment variables. No cross-access between prod and dev.

RTO (Recovery Time Objective) contractual: 4 hours (worst case, full restoration from artifacts). Typical automatic application restart observed via Railway: < 15 minutes (common application incidents, no human intervention required). RPO (Recovery Point Objective): 24 hours, aligned with Neon backup frequency (sub-hour point-in-time recovery in practice for application incidents).

99.5% monthly guaranteed, 99.9% contractually available. See our full SLA. Real-time status: status.godia.ai.

Daily AES-256 encrypted backups, managed by Neon. Retention according to the subscribed Neon plan. Multi-zone EU replication.

In the event of AI engine unavailability, existing data (conversations, prospects, analytics) remains accessible. Explicit error messages returned, no silent fallback to another provider.

Detection via SIEM alerts → internal qualification → customer notification (4h SLA for critical incidents) → remediation → post-incident report (PIR).

Available in the client portal: creation, tracking and closure from the interface. Each incident documented with timeline, impact and corrective measures.

Documented procedure: notification of competent supervisory authorities (CNIL France, CNPD Luxembourg) within 72 hours in the event of a personal data breach (GDPR Art. 33). Email notification to affected organizations via Mailjet, triggered from the administration portal.

L1: in-app ticket → L2: support@godia.ai → L3: technical leadership → L4: security emergency legal@godia.ai (4h SLA).

Formalized data protection impact assessment (DPIA-GODIA-2026-001 v1.0, March 2026), 4 documented processings: (1) AI conversations, (2) prospect management, (3) authentication & SIEM logging, (4) developer API keys. Available on request at legal@godia.ai. Next review: March 2027.

Formal and operational register covering 6 ICT providers under DORA Art. 28: Railway (application infrastructure), Neon (database), Mistral AI SAS (AI engine, France), Mailjet/Sinch (transactional emails, France), Google LLC (OAuth), Microsoft Corporation (OAuth). Available on request.

Post-incident reports accessible from the client portal, integrated incident reporting, tracking and closure from the interface.

JSON/CSV from the portal, compatible with leading SIEM tools (Elastic, Splunk, QRadar, Microsoft Sentinel).

Data Processing Agreement available for signature before any contractual relationship begins. Contact: legal@godia.ai.

Contractual commitment: full data export provided on request within 30 days upon termination. Definitive data deletion within 60 days after the end of the contract (except for legal retention obligations). No proprietary lock-in: standard PostgreSQL, data exportable in JSON/CSV via the portal. Per-provider details documented in the DORA register.