Security

Last updated: April 19, 2026

Overview

Georion is built on a security-first architecture. We protect customer data through industry-standard cryptography, Row-Level Security (RLS) on every database table, least-privilege access controls, and continuous monitoring. This page describes our security program in detail so customers and security researchers can understand exactly how we protect data.

If you find a vulnerability, please report it responsibly to security@georion.app. See our bug bounty program for rewards.

Infrastructure

  • Hosting: Vercel (Next.js app) + Supabase (Postgres database, Auth, Storage)
  • Edge network: Cloudflare WAF, DDoS protection, bot management
  • Geographic availability: Global edge network with sub-100ms latency in 300+ cities; EU-only data residency available on Enterprise
  • Physical security: inherited from our providers (AWS / Google Cloud / Cloudflare — all SOC 2 Type II certified)
  • Backups: automated daily backups with 30-day point-in-time recovery; monthly full-system snapshots retained for 12 months
  • Isolation: per-tenant organization isolation via RLS policies — no shared-tenant data leakage is possible at the database level

Encryption

In transit

  • TLS 1.3 for all traffic (minimum TLS 1.2 supported for legacy clients)
  • HSTS preload with 2-year max-age
  • Strict CSP (Content Security Policy) with allowlisted origins only
  • Certificate pinning on mobile clients (where applicable)

At rest

  • AES-256 encryption on all databases (Supabase-managed)
  • Encrypted backups using separate keys
  • Passwords hashed with bcrypt (cost factor 12)
  • API keys stored hashed; shown once on creation and never again
  • Secrets managed via Vercel Environment Variables + per-environment scoping

Access controls

User-level

  • Password requirements: 12+ characters with complexity rules; compromised passwords blocked via haveibeenpwned integration
  • 2FA / MFA: TOTP (Google Authenticator, 1Password, Authy) + WebAuthn / Passkeys
  • SSO / SAML 2.0: available on Agency and Enterprise plans (Okta, Azure AD, Google Workspace, OneLogin, and any SAML 2.0-compliant IdP)
  • SCIM user provisioning: Enterprise plan — automated user lifecycle from your IdP
  • Session management: configurable session timeout; forced re-auth for sensitive operations

Internal (employee)

  • Principle of least privilege: engineers only access systems they need for their role
  • SSO-enforced on all internal tools (Google Workspace, Vercel, Supabase, Cloudflare admin, AWS)
  • Hardware security keys (YubiKey) required for production access
  • Audit logs retained for 7 years for all admin actions
  • Zero persistent production database access — engineers use break-glass just-in-time elevation for specific incidents

Application security

  • Row-Level Security (RLS): every table in our Postgres database has RLS enabled with explicit policies — no query can return data outside the caller's organization
  • Prepared statements only: zero string-concatenated SQL; SQL injection surface is nil
  • Input validation: Zod schemas on every API endpoint + every form submission
  • CSRF protection: double-submit cookie pattern on every mutation
  • Rate limiting: per-IP + per-user + per-endpoint limits with burst protection
  • SSRF guard: all outbound requests validated against allowlisted domains + blocked private IP ranges
  • XSS mitigation: strict CSP + automatic output escaping throughout React tree
  • Prompt injection defense: outputs from AI engines validated before display; user-controlled content never executed as instructions
  • Dependency scanning: automated weekly scans via GitHub Dependabot + Socket.dev
  • Static analysis: TypeScript strict mode + ESLint security rules enforced in CI
  • Code review: mandatory 2-reviewer approval for all production changes

Data handling

Retention

  • Active customer data: for duration of subscription
  • Cancelled customer data: exportable for 30 days, anonymized or deleted after 90 days
  • Billing records: 10 years (Swiss law)
  • Access logs: 30 days rolling
  • Hashed IP addresses: 12 months for fraud prevention

AI model training disclaimer

We do not train AI models on your content. Customer prompts, reports, and audit results are used solely to deliver the Service.

Monitoring & incident response

  • 24×7 monitoring with automated alerting to on-call engineer within 60 seconds of threshold breach
  • Uptime monitoring across 15+ global regions (status: status.georion.app)
  • SIEM aggregating security-relevant logs with anomaly detection
  • Incident response SLA: 1 hour acknowledgment, 4 hours initial response, root cause analysis within 72 hours, customer notification within 24 hours of confirmed data incident (GDPR 72-hour rule)
  • Customer notification: email + in-app banner + status page for incidents affecting your data or service availability
  • Quarterly tabletop exercises simulating incident scenarios

Compliance & certifications

  • GDPR (EU 2016/679): fully compliant; DPA available on request — see our Data Processing Addendum
  • Swiss FADP (nFADP, September 2023): fully compliant
  • CCPA / CPRA (California): compliant for California residents; Do Not Sell My Info honored automatically (we don't sell data)
  • SOC 2 Type II: audit in progress; expected certification Q3 2026
  • ISO 27001: on our 2027 roadmap
  • HIPAA: not currently certified; Enterprise customers in healthcare should contact sales for BAA discussion
  • FedRAMP: not currently pursued

Bug bounty program

We believe in working with the security community. Rewards for valid vulnerability reports:

SeverityRewardExamples
Critical$2,500 – $5,000Remote code execution, authentication bypass, mass data exfiltration
High$1,000 – $2,500Privilege escalation, access to other orgs' data, stored XSS with impact
Medium$250 – $1,000CSRF on sensitive endpoints, open redirect with impact, SSRF
Low$50 – $250Information disclosure (non-sensitive), rate-limit bypass, minor XSS

Eligibility: first reporter to disclose responsibly. Out-of-scope: automated scanner output without exploitation, physical/social engineering, DoS, issues in third-party dependencies (report to the vendor).

Safe harbor: we will not pursue legal action against researchers acting in good faith within this program's scope.

Report a vulnerability

Email: security@georion.app

We respond within 24 hours on business days. Use our PGP public key (fingerprint here) for sensitive reports.

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Impact assessment
  • Your proposed remediation (optional but appreciated)

We credit security researchers (with their permission) in our changelog when fixes are shipped.