Lompat ke konten
Informations légales

Trust center

Security and service continuity are treated as first-class requirements. This page factually describes the measures in place — it is updated whenever something significant changes.

Dernière mise à jour : 1er juillet 2026

1. Access security

  • Two-factor authentication (TOTP) enforced across the entire back office, with single-use backup codes.
  • Role-based access control (least privilege): each operator only reaches the modules of their function; financial data is restricted to entitled roles.
  • Immediate session revocation on password change, 2FA reset or account deactivation.
  • Timestamped audit log of sensitive actions (logins, denied accesses, team and configuration changes).

2. Data protection

  • Encryption in transit (TLS 1.2/1.3) across all services.
  • Encryption at rest (AES-256-GCM) for sensitive data: contracts, HR records, payout details, integration secrets.
  • Strict tenant isolation: partners and clients only ever access their own data (structural server-side control).
  • AI assistants: no ability to act on data from public surfaces; third-party content is treated as data, never as instructions.

3. Continuity & backups

  • Encrypted backups following the 3-2-1 rule: three copies, two media, one remote site (European Union).
  • Recovery points: critical data every 6 hours, full daily backup.
  • Restoration TESTED under real conditions (last test: July 2026 — 100% integrity verified). Recovery time objective: under one hour.
  • Continuous monitoring (availability, resources, certificates) with immediate team alerting.

4. Incident response

  • Documented and rehearsed incident procedures (outage, restore, compromise).
  • Personal data breach: notification to the supervisory authority (CNIL) within 72 hours and communication to affected individuals where required (GDPR art. 33-34).
  • Vulnerability reporting: RFC 9116 security.txt (link below) — good-faith reports are welcome.

5. Compliance

  • GDPR: records of processing, public privacy policy, article 28 DPA available below.
  • Transfers outside the EU: European Commission Standard Contractual Clauses (2021/914) where required.
  • Invoicing and accounting: double-entry engine with integrity chaining, ready for the French e-invoicing mandate (2026-2027).

6. Subprocessors

Subprocessors with access to data as part of the service. Any addition is reflected on this page with 30 days' notice; you may object on legitimate grounds.

  • HostingerApplication hosting (VPS) · European Union
  • IONOSRemote backup site · European Union (Germany/France)
  • CloudflareCDN, DNS, protection, email routing · EU/United States (SCCs)
  • StripePayments · EU/United States (SCCs)
  • ResendTransactional email · United States (SCCs)
  • AnthropicAI assistant (text processing) · United States (SCCs)

7. Documents

Security or due-diligence questions: security@pageoneboost.com — answer within 2 business days.

Trust center — security & compliance · PageOneBoost