Security & compliance

Your compliance data, protected and hosted in Europe

Certeef hosts all of your data within the European Union and applies defense in depth at every layer of the platform. Here is how we protect your training organization — first in plain language, then in detail.

  • Data hosted in the European Union
  • GDPR compliant
  • Encrypted at rest (AES-256) and in transit (TLS)

The essentials

What we guarantee

  • Hosting in the European Union

    File storage, database and monitoring are all hosted in an EU region. By default, none of your data leaves Europe.

  • GDPR compliant

    Your data is never sold or transferred to third parties for commercial purposes. Your rights to access, rectify and erase are guaranteed, in line with the GDPR.

  • Encrypted at rest and in transit

    Files are encrypted at rest (AES-256) and travel over TLS. Documents are accessed only through signed, time-limited links — never through direct exposure.

  • Defense in depth

    Three independent authorization layers, from the application perimeter down to verifying that each file genuinely belongs to your organization.

  • Tenant isolation

    Every organization is compartmentalized. Your membership of your workspace is re-checked on every request: access cannot leak from one customer to another.

  • Probative-value e-signature

    Signed documents are cryptographically sealed (PKCS#7 / PAdES), timestamped (RFC-3161) and backed by a complete audit trail.

Technical level

The detail, for security teams

For CISOs, DPOs and technical teams: Certeef's security architecture, control by control.

01

Authentication

Authentication handled by better-auth, hardened against brute-force and credential stuffing.

  • Mandatory email verification — no password session is opened until the address is confirmed; the link is re-issued automatically when an unverified account signs in.
  • Enterprise SSO — Google and Microsoft Entra ID (OAuth 2.0), with configurable tenant ID.
  • Password policy — 12 to 128 characters mixing lowercase, uppercase, digit and special character — enforced server-side, on sign-up and on reset. Client-side validation is never the authority.
  • Anti-bot — Cloudflare Turnstile on sign-in, sign-up and reset; the secret key is mandatory in production.
  • Database-backed rate limiting — shared across all server instances, so it cannot be bypassed: 100 req/min globally, 5/min on sign-in and sign-up, 3/h on reset and verification-email sending.
02

Authorization: defense in depth

Three independent guards, from the application perimeter down to each file.

  • Layer 1 — Perimeter — every non-public route requires a valid session; otherwise it redirects to the sign-in page.
  • Layer 2 — Server-side guards — roles are enforced server-side. A read-only account (company portal) is confined by the server, not merely hidden in the UI: direct URL access is blocked.
  • Layer 3 — Object-level authorization — every download is re-checked in cascade: session present, active organization resolved, file genuinely belonging to the organization, and role permitting that specific file. This is the strictest access control, not a simple global filter.
03

Multi-tenant isolation

Every organization is compartmentalized, and membership is revalidated on every request.

  • The active organization is resolved on every request, with systematic re-verification of membership in the database.
  • A forged or stale organization cookie grants no access: if the user is no longer a member, the cookie is ignored.
  • A file-by-file audit of data queries confirms that none exposes another customer's data from unverified user input.
04

Electronic signature — chain of probative value

In-house signature engine, with a standard cryptographic chain of evidence.

  • Secure signing links — 256-bit random token, never stored in clear (only its SHA-256 hash is in the database), verified by constant-time comparison, with expiry.
  • Audit trail — every event (created, sent, opened, viewed, OTP, signed) is timestamped with IP address, User-Agent and SHA-256 fingerprint of the document.
  • Integrity sealing — PKCS#7 / PAdES signature applied server-side; SHA-256 fingerprint of the sealed PDF persisted; self-contained verification with no third party — altering a single byte breaks the proof.
  • Timestamping — RFC-3161 token requested from a timestamping authority, attesting the date independently of the server clock.
  • Evidence certificate — a PDF summarizes signers, integrity fingerprints and the timestamped event log, materializing probative value in the event of a dispute.
05

File storage

Cloudflare R2 object storage, EU hosting enforced, access only through signed links.

  • EU hosting enforced — endpoint with EU jurisdiction, buckets created in the “eu” jurisdiction (verified by an automated test).
  • Pre-signed URL access — no direct bucket exposure; storage credentials never leave the server.
  • Locked-down uploads — session required, allowlist of file types (PDF, JPEG, PNG, DOCX) and size caps (10 MB documents, 5 MB images) — denial-of-service bounds.
  • Encryption at rest — native AES-256 encryption of the object storage.
06

Input validation & anti-injection

All incoming data is typed, validated and sanitized.

  • Systematic validation — server actions are typed and validated via Zod on every request.
  • Stored-XSS prevention — HTML from learning content is sanitized before storage and before rendering — strict tag allowlist, removal of scripts, iframes and event attributes, URL schemes limited to http / https / mailto.
  • Code quality — strict TypeScript and automated checks (lint, blocking pre-commit hook).
07

External surfaces — webhooks & scheduled tasks

External entry points are authenticated cryptographically.

  • Payment webhooks — cryptographic signature verified on every receipt; any request without a valid signature is rejected.
  • Scheduled tasks (cron) — protected by a secret Bearer token; not triggerable by a third party despite a public path.
08

Secrets & configuration management

No silent degraded mode: the application refuses to start if a critical secret is missing.

  • Production assertions raise an explicit error at startup if a critical variable is missing (app URL, anti-bot key, sealing key…).
  • Strict separation between server secrets and code shipped to the browser: sensitive modules are marked server-only; a leak to the client becomes a build error.
09

Hosting, sovereignty & monitoring

Data and monitoring in an EU region, continuous incident detection.

  • Data in the EU — file storage in EU jurisdiction, database and monitoring (Sentry EU region) hosted in Europe — consistent with the GDPR.
  • Incident detection — Sentry monitoring active across all environments.

Are you a CISO or DPO who would like the full security brief? Contact us.

Ready to de-risk your next audit?

A 30-minute demo, a case applied to your organization, and a quote within 24 hours. No pressure, no commitment.

Book a demo Try for free

No credit card required