Security you can verify, not just trust.
This page is written for due diligence: hosting, encryption, architecture, shipped controls, subprocessors and the real status of our certifications. Facts only, each one checkable.
The technical fact sheet
Every row below describes the platform as it runs today.
- Hosting
- Hosted in France, datacenter in the Paris region
- Data residency
- European Union; no non-EU dependency in the request path
- In transit
- TLS 1.2 minimum, TLS 1.3 preferred, HSTS enabled
- Application secrets at rest
- OAuth client secrets, SAML signing keys, TOTP secrets and SCIM tokens encrypted with AES-256-GCM
- Passwords
- Argon2id hashing; policy aligned with NIST 800-63B and ANSSI guidance; compromised password blocklist checked 100% locally, no external service
- Assets and fonts
- Self hosted; no external CDN
- GeoIP
- Resolved locally on our infrastructure; no external lookup
- Standards
- OIDC, OAuth 2.1 (PKCE, PAR, DPoP), SAML 2.0, SCIM 2.0
- Admin API
- Public OpenAPI 3.1 contract at /v1/openapi.json
Architecture
The structural choices, as implemented.
Strict multi-tenant isolation
Each tenant is isolated end to end: configuration, users, policies, branding and audit trail never cross a tenant boundary.
A 100% EU request path
Every request is served from EU infrastructure. No third party CDN, no non-EU API call in the authentication path.
Opaque, revocable sessions
Sessions are opaque tokens revocable server side. Only a hash of the token is stored: a database leak exposes no usable session.
Near constant time anti-enumeration
Login and recovery endpoints return generic answers and compute a decoy hash, so response timing does not reveal whether an account exists.
Layered rate limiting and lockout
Rate limits apply per email and per IP on login, signup and passwordless flows, with account lockout after repeated failures.
Fail closed by design
The LDAP/AD bridge and the AI agent ceilings fail closed: when a dependency or a limit check fails, access is denied, never granted.
Shipped controls, stated precisely
Everything below is in production today, not on a roadmap.
Conditional access
Network (CIDR), schedule and country rules, with versioned policies, a counterfactual impact simulation before enforcement, and restoration of a previous version.
MFA with step-up
Passkeys (WebAuthn), TOTP and email codes, with step-up on sensitive actions. MFA can be enforced per tenant and per group.
AI agent governance
Per agent identity with fail closed TTL and scope ceilings, an immediate kill switch, anomaly detection and a forensic log of delegations.
Append-only audit log
Every sensitive action is written to an immutable, append-only audit log, with a real time stream and export.
HMAC signed webhooks
Outbound webhooks are signed with HMAC, so the receiver can verify the origin and integrity of every event.
Scoped admin API tokens
Admin API tokens carry explicit scopes: a token only does what it was created for.
| Time | Event | Actor |
|---|---|---|
| 09:41:22 | agent.kill_switch.activated | admin@example.eu |
| 09:38:10 | policy.simulation.completed | admin@example.eu |
| 09:36:54 | auth.mfa.step_up.success | j.doe@example.eu |
Who can access your data at Obexal
Plain answers, without dressing them up as certified processes.
A small, accountable team
Obexal is operated by a small team. Fewer people with access means a shorter list to audit, and we keep that list short on purpose.
MFA on every administrative access
All administrative access to Obexal systems requires multi-factor authentication, without exception.
Least privilege on production
Access to production data is limited to what operations require and to support explicitly requested by the customer.
Every administrative action is logged
Administrative actions on the platform are recorded in the audit log, like any other sensitive action.
Subprocessors
- Hosting provider
- An EU based provider; datacenter in France (Paris region)
- Transactional email
- An EU based provider
- Named list
- Provided on request via our contact page, with the role and location of each subprocessor
- Everything else
- No other subprocessor in the request path; no external CDN
Compliance and certifications, at their real status
No badge is claimed before it is earned.
- GDPR
- Data export and deletion available self service; data processing agreement at /legal/dpa/
- ISO/IEC 27001
- As of July 2, 2026: not certified. A documented mapping to ISO/IEC 27001:2022 Annex A controls is maintained
- SOC 2
- As of July 2, 2026: not certified
- HDS (French health data hosting)
- As of July 2, 2026: not certified
- SecNumCloud
- Roadmap under way; no timeline published yet
- EU AI Act
- We make no compliance self declaration. Obexal helps you meet your own obligations: per agent identity and traceability, an audit log, a kill switch and human oversight of AI agents
Vulnerability disclosure
Machine readable policy
Our disclosure policy is published at /.well-known/security.txt, where security researchers expect to find it.
Direct contact
Report to contact@obexal.com. We acknowledge reports, generally within 48 business hours.
No bug bounty today
We do not run a bug bounty program yet, and we prefer to say so plainly rather than let it be assumed.
Continuity and recovery
- Backups
- Encrypted backups, stored in the European Union
- Restoration
- Restoration is tested; the documented recovery strategy is restoration from a verified backup
- Recovery objectives
- Numbered recovery targets (RTO and RPO) will be published together with the SLA
CISO due diligence FAQ
Has an external penetration test been performed?
Not yet: an external penetration test is planned but has not been performed to date. Every release goes through systematic internal adversarial security reviews, and we prefer to state exactly that rather than imply more.
Where exactly is our data hosted?
In France, in a datacenter in the Paris region, with data residency in the European Union. There is no non-EU dependency in the request path. See our sovereignty approach.
Who at Obexal can access our data?
A small team, under least privilege, with multi-factor authentication on every administrative access. Access to production data is limited to operations and to support you explicitly request, and every administrative action is recorded in the audit log.
How is our data encrypted?
In transit: TLS 1.2 minimum, TLS 1.3 preferred, with HSTS. At rest: application secrets (OAuth client secrets, SAML signing keys, TOTP secrets, SCIM tokens) are encrypted with AES-256-GCM. Passwords are hashed with Argon2id.
Which certifications do you hold?
As of July 2, 2026: Obexal is not certified ISO 27001, SOC 2 or HDS. A documented mapping to ISO/IEC 27001:2022 Annex A is maintained and the SecNumCloud roadmap is under way. We claim no badge before it is earned.
How do we get the DPA and the subprocessor list?
The DPA is published at /legal/dpa/. The named subprocessor list is provided on request via our contact page.
Do you rely on any CDN or non-EU service?
No. Assets and fonts are self hosted, GeoIP is resolved locally on our infrastructure, and there is no non-EU dependency in the request path.
How do we report a vulnerability?
Through the policy published at /.well-known/security.txt or to contact@obexal.com. We acknowledge reports, generally within 48 business hours. There is no bug bounty program to date.
The full security dossier, on request.
We answer CISO and DPO questionnaires in plain terms, with evidence.