+33 9 84 25 52 61
Sign in
Security and trust

Security you can verify, not just trust.

This page is written for due diligence: hosting, encryption, architecture, shipped controls, subprocessors and the real status of our certifications. Facts only, each one checkable.

The technical fact sheet

Every row below describes the platform as it runs today.

Hosting
Hosted in France, datacenter in the Paris region
Data residency
European Union; no non-EU dependency in the request path
In transit
TLS 1.2 minimum, TLS 1.3 preferred, HSTS enabled
Application secrets at rest
OAuth client secrets, SAML signing keys, TOTP secrets and SCIM tokens encrypted with AES-256-GCM
Passwords
Argon2id hashing; policy aligned with NIST 800-63B and ANSSI guidance; compromised password blocklist checked 100% locally, no external service
Assets and fonts
Self hosted; no external CDN
GeoIP
Resolved locally on our infrastructure; no external lookup
Standards
OIDC, OAuth 2.1 (PKCE, PAR, DPoP), SAML 2.0, SCIM 2.0
Admin API
Public OpenAPI 3.1 contract at /v1/openapi.json

Architecture

The structural choices, as implemented.

Strict multi-tenant isolation

Each tenant is isolated end to end: configuration, users, policies, branding and audit trail never cross a tenant boundary.

A 100% EU request path

Every request is served from EU infrastructure. No third party CDN, no non-EU API call in the authentication path.

Opaque, revocable sessions

Sessions are opaque tokens revocable server side. Only a hash of the token is stored: a database leak exposes no usable session.

Near constant time anti-enumeration

Login and recovery endpoints return generic answers and compute a decoy hash, so response timing does not reveal whether an account exists.

Layered rate limiting and lockout

Rate limits apply per email and per IP on login, signup and passwordless flows, with account lockout after repeated failures.

Fail closed by design

The LDAP/AD bridge and the AI agent ceilings fail closed: when a dependency or a limit check fails, access is denied, never granted.

Who can access your data at Obexal

Plain answers, without dressing them up as certified processes.

A small, accountable team

Obexal is operated by a small team. Fewer people with access means a shorter list to audit, and we keep that list short on purpose.

MFA on every administrative access

All administrative access to Obexal systems requires multi-factor authentication, without exception.

Least privilege on production

Access to production data is limited to what operations require and to support explicitly requested by the customer.

Every administrative action is logged

Administrative actions on the platform are recorded in the audit log, like any other sensitive action.

Subprocessors

Hosting provider
An EU based provider; datacenter in France (Paris region)
Transactional email
An EU based provider
Named list
Provided on request via our contact page, with the role and location of each subprocessor
Everything else
No other subprocessor in the request path; no external CDN

Compliance and certifications, at their real status

No badge is claimed before it is earned.

GDPR
Data export and deletion available self service; data processing agreement at /legal/dpa/
ISO/IEC 27001
As of July 2, 2026: not certified. A documented mapping to ISO/IEC 27001:2022 Annex A controls is maintained
SOC 2
As of July 2, 2026: not certified
HDS (French health data hosting)
As of July 2, 2026: not certified
SecNumCloud
Roadmap under way; no timeline published yet
EU AI Act
We make no compliance self declaration. Obexal helps you meet your own obligations: per agent identity and traceability, an audit log, a kill switch and human oversight of AI agents

Vulnerability disclosure

Machine readable policy

Our disclosure policy is published at /.well-known/security.txt, where security researchers expect to find it.

Direct contact

Report to contact@obexal.com. We acknowledge reports, generally within 48 business hours.

No bug bounty today

We do not run a bug bounty program yet, and we prefer to say so plainly rather than let it be assumed.

Continuity and recovery

Backups
Encrypted backups, stored in the European Union
Restoration
Restoration is tested; the documented recovery strategy is restoration from a verified backup
Recovery objectives
Numbered recovery targets (RTO and RPO) will be published together with the SLA

CISO due diligence FAQ

Has an external penetration test been performed?

Not yet: an external penetration test is planned but has not been performed to date. Every release goes through systematic internal adversarial security reviews, and we prefer to state exactly that rather than imply more.

Where exactly is our data hosted?

In France, in a datacenter in the Paris region, with data residency in the European Union. There is no non-EU dependency in the request path. See our sovereignty approach.

Who at Obexal can access our data?

A small team, under least privilege, with multi-factor authentication on every administrative access. Access to production data is limited to operations and to support you explicitly request, and every administrative action is recorded in the audit log.

How is our data encrypted?

In transit: TLS 1.2 minimum, TLS 1.3 preferred, with HSTS. At rest: application secrets (OAuth client secrets, SAML signing keys, TOTP secrets, SCIM tokens) are encrypted with AES-256-GCM. Passwords are hashed with Argon2id.

Which certifications do you hold?

As of July 2, 2026: Obexal is not certified ISO 27001, SOC 2 or HDS. A documented mapping to ISO/IEC 27001:2022 Annex A is maintained and the SecNumCloud roadmap is under way. We claim no badge before it is earned.

How do we get the DPA and the subprocessor list?

The DPA is published at /legal/dpa/. The named subprocessor list is provided on request via our contact page.

Do you rely on any CDN or non-EU service?

No. Assets and fonts are self hosted, GeoIP is resolved locally on our infrastructure, and there is no non-EU dependency in the request path.

How do we report a vulnerability?

Through the policy published at /.well-known/security.txt or to contact@obexal.com. We acknowledge reports, generally within 48 business hours. There is no bug bounty program to date.

The full security dossier, on request.

We answer CISO and DPO questionnaires in plain terms, with evidence.