Security
Overview
Georion is built on a security-first architecture. We protect customer data through industry-standard cryptography, Row-Level Security (RLS) on every database table, least-privilege access controls, and continuous monitoring. This page describes our security program in detail so customers and security researchers can understand exactly how we protect data.
If you find a vulnerability, please report it responsibly to security@georion.app. See our disclosure & recognition program for how we handle reports.
Infrastructure
- Hosting: Vercel (Next.js app) + Supabase (Postgres database, Auth, Storage)
- Edge network: Cloudflare WAF, DDoS protection, bot management
- Geographic availability: Global edge network with sub-100ms latency in 300+ cities; EU-only data residency available on Enterprise
- Physical security: inherited from our providers (AWS / Google Cloud / Cloudflare — all SOC 2 Type II certified)
- Backups: automated daily backups with 30-day point-in-time recovery; monthly full-system snapshots retained for 12 months
- Isolation: per-tenant organization isolation via RLS policies — no shared-tenant data leakage is possible at the database level
Encryption
In transit
- TLS 1.3 for all traffic (minimum TLS 1.2 supported for legacy clients)
- HSTS preload with 2-year max-age
- Strict CSP (Content Security Policy) with allowlisted origins only
- Certificate pinning on mobile clients (where applicable)
At rest
- AES-256 encryption on all databases (Supabase-managed)
- Encrypted backups using separate keys
- Passwords hashed with bcrypt (cost factor 12)
- API keys stored hashed; shown once on creation and never again
- Secrets managed via Vercel Environment Variables + per-environment scoping
Access controls
User-level
- Password requirements: 12+ characters with complexity rules; compromised passwords blocked via haveibeenpwned integration
- 2FA / MFA: TOTP (Google Authenticator, 1Password, Authy) + WebAuthn / Passkeys
- SSO / SAML 2.0: available on Agency and Enterprise plans (Okta, Azure AD, Google Workspace, OneLogin, and any SAML 2.0-compliant IdP)
- SCIM user provisioning: Enterprise plan — automated user lifecycle from your IdP
- Session management: configurable session timeout; forced re-auth for sensitive operations
Internal (employee)
- Principle of least privilege: engineers only access systems they need for their role
- SSO-enforced on all internal tools (Google Workspace, Vercel, Supabase, Cloudflare admin, AWS)
- Hardware security keys (YubiKey) required for production access
- Audit logs retained for 7 years for all admin actions
- Zero persistent production database access — engineers use break-glass just-in-time elevation for specific incidents
Application security
- Row-Level Security (RLS): tables are protected with RLS policies, and API routes enforce organization-scoped authorization checks so requests are limited to the caller's organization
- Parameterized queries: we use the Supabase client / parameterized queries rather than string-concatenated SQL to minimize injection risk
- Input validation: Zod schemas on API endpoints and form submissions
- Authentication: session-based auth with server-side verification on protected endpoints
- Rate limiting: per-IP, per-user, and per-endpoint limits on sensitive routes
- SSRF hardening: outbound fetch targets are validated and private IP ranges blocked on user-triggered fetches; coverage is being expanded
- XSS mitigation: Content Security Policy + React's automatic output escaping
- Prompt injection defense: AI-engine outputs are treated as data, not executed as instructions
- Dependency scanning: automated dependency alerts via GitHub Dependabot
- Static analysis: TypeScript strict mode + ESLint enforced in CI
Data handling
Retention
- Active customer data: for duration of subscription
- Cancelled customer data: exportable for 30 days, anonymized or deleted after 90 days
- Billing records: 10 years (Swiss law)
- Access logs: 30 days rolling
- Hashed IP addresses: 12 months for fraud prevention
AI model training disclaimer
We do not train AI models on your content. Customer prompts, reports, and audit results are used solely to deliver the Service.
Monitoring & incident response
- 24×7 monitoring with automated alerting to on-call engineer within 60 seconds of threshold breach
- Uptime monitoring across 15+ global regions (status: status.georion.app)
- SIEM aggregating security-relevant logs with anomaly detection
- Incident response SLA: 1 hour acknowledgment, 4 hours initial response, root cause analysis within 72 hours, customer notification within 24 hours of confirmed data incident (GDPR 72-hour rule)
- Customer notification: email + in-app banner + status page for incidents affecting your data or service availability
- Quarterly tabletop exercises simulating incident scenarios
Compliance & certifications
- GDPR (EU 2016/679): fully compliant; DPA available on request — see our Data Processing Addendum
- Swiss FADP (nFADP, September 2023): fully compliant
- CCPA / CPRA (California): compliant for California residents; Do Not Sell My Info honored automatically (we don't sell data)
- SOC 2 Type II: audit in progress; expected certification Q3 2026
- ISO 27001: on our 2027 roadmap
- HIPAA: not currently certified; Enterprise customers in healthcare should contact sales for BAA discussion
- FedRAMP: not currently pursued
Vulnerability disclosure & recognition
We work with the security community through a coordinated disclosure program. We do not currently operate a paid bug bounty, but we recognize valid reports as follows:
- Public acknowledgment (with your permission) in our Acknowledgments section.
- Georion subscription credit for valid, previously-unreported vulnerabilities, at our discretion and scaled to severity.
- Swag where available.
If we introduce a paid bounty in future, we will announce it here. For high-impact reports we are happy to discuss recognition on a case-by-case basis.
Eligibility: first reporter to disclose responsibly. Out-of-scope: automated scanner output without exploitation, physical/social engineering, DoS, issues in third-party dependencies (report to the vendor).
Safe harbor: we will not pursue legal action against researchers acting in good faith within this program's scope.
Report a vulnerability
Email: security@georion.app
We respond within 24 hours on business days.
Include:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Your proposed remediation (optional but appreciated)
We credit security researchers (with their permission) in our Acknowledgments below when fixes are shipped.
Acknowledgments
We thank the security researchers who have responsibly disclosed vulnerabilities and helped keep Georion customers safe:
- Enis Getmez — July 2026 — reported broken access control (IDOR) on several authenticated API endpoints, enabling responsible remediation across the affected routes. Fixed promptly.