Security & Trust

Our platform runs entirely on European infrastructure with strict isolation and access controls.

• Hosted on OVH France datacenters, ensuring EU data sovereignty
• Docker containers running as non-root users with minimal privileges
• PostgreSQL 15 with role-based access control and connection pooling
• Network isolation between services via Docker internal networks
• No data leaves the European Union

Multi-layered authentication protects every entry point into the platform.

• JWT tokens stored in httpOnly cookies (not localStorage), preventing XSS token theft
• Multi-role RBAC system: super_admin, company_admin, and user roles with strict permission boundaries
• SlowAPI rate limiting on all endpoints to prevent brute-force attacks
• HMAC signature verification on all incoming webhooks (Stalwart, Stripe)
• Google OAuth integration with secure token exchange
• Magic link passwordless authentication with 15-minute expiry tokens

Data is encrypted both in transit and at rest using industry-standard algorithms.

• TLS 1.3 encryption for all data in transit
• AES-256 Fernet encryption for credential vault (API keys, passwords stored by users)
• Bcrypt password hashing with automatic salt generation
• Encrypted API credentials storage for platform integrations
• Pre-signed URLs with expiration for S3 archive downloads

AI agents (Junyrs) are designed with guardrails that prevent data leakage and hallucination.

• Prompt injection filter detects and blocks adversarial inputs before they reach the LLM
• PII sanitization masks sensitive data (French SSN, IBAN, SIRET) before sending to AI providers
• Confidence scoring (0-100) on every AI response, so users know when to trust or verify
• Anti-hallucination context service ensures responses are grounded in real data from the knowledge base
• Configurable sensitivity levels per company (low, medium, high, critical)
• Token usage tracking and quota enforcement (40 work hours/month per agent)

We comply with the EU General Data Protection Regulation and French data protection law (CNIL).

• CNIL-compliant data processing with documented legal bases
• Data Processing Agreement (DPA) available on request for all business clients
• 30-day account and data deletion upon request
• 10-year billing record retention as required by French commercial law
• Data portability: export your data in standard formats (PDF, CSV, JSON)
• Right to access, rectify, and erase your personal data at any time

Continuous monitoring and logging ensure anomalies are detected and addressed promptly.

• Security audit logging for all sensitive operations (credential access, role changes, impersonation)
• Background task monitoring with execution history and failure alerts
• Two-layer outbound email rate limiting to prevent spam and protect domain reputation
• Webhook retry queue with exponential backoff and dead-letter queue for failed deliveries
• Domain warm-up progression system for new email domains (5 stages)
• Automated stale workflow cleanup and export file garbage collection