Last full audit: 24 juin 2026

Security is not optional — it's our foundation.

Your HR, payroll, contracts and business secrets are protected by the strictest industry standards. You can verify it yourself.

69/69

Security tests passed

OWASP

Top 10 covered

30 min

Incident response time

7j/7

Active monitoring

Authentication & access control

Multiple layers lock down access to your workspace. No login goes unnoticed.

Traceable sessions

Every login is logged with timestamp, browser, device and IP. Browse the last 90 days from your profile.

Secure mobile login

Your team authenticates with phone + a unique PIN sent via activation email. No password to remember.

Brute-force protection

5 failed attempts = automatic 15-minute lockout. You're alerted of any suspicious activity on your account.

Session monitoring

See in real time every device connected to your account. Revoke remotely in one click anything that shouldn't be there.

Granular roles & permissions

Admin, HR, Manager, Employee, CFO, Accountant... each role only sees and edits what they should. Strict least-privilege principle.

Strong passwords

Strict policy: minimum 8 characters, mix of uppercase/digits/symbols. Hashed with bcrypt — never stored in plaintext, even on our side.

Data protection

Your data is encrypted end-to-end, isolated per company, and continuously backed up.

TLS 1.3 encryption

All browser ↔ server communications are encrypted with TLS 1.3, the latest banking-grade standard.

Multi-tenant isolation

Every company lives in its own logical compartment. A request from company A technically cannot reach company B's data.

Daily backups

Encrypted snapshots of the database every 24h, retained for 30 days, restorable in under 4 hours when needed.

Sovereign cloud hosting

Kubernetes-containerized infrastructure, data hosted in ISO 27001-certified datacenters with multi-zone redundancy.

GDPR compliance

Right to export, rectify, and be forgotten. Named audit logs retained 7 years to meet legal and contractual requirements.

Application firewall

Upstream WAF blocks known attacks (SQL injection, XSS, CSRF, DDoS) before they even reach the application.

Continuous testing & audits

We're never satisfied. Every deployment goes through a battery of automated and manual checks.

Automated tests (69/69)

Full security test suite (RBAC, injections, brute-force, webhook signatures...) run before every production release. 100% coverage.

Hardened CI/CD

GitHub Actions pipeline with npm/pip audit on every commit, secret scanning, static lint, mandatory review before merge.

Annual external audit

Pentest performed yearly by an independent third-party firm (report available on request under NDA).

Disclosure program

Found a vulnerability? Email security@gespo.digital — we guarantee acknowledgment within 24h and a documented fix.

Frequently asked questions

Q.Is my data shared with other client companies?▼

Never. Every company is partitioned in its own logical instance. Even our own employees only access your data with explicit, traced authorization.

Q.What happens if I cancel my subscription?▼

You have 90 days to export all your data (CSV, Excel, PDF). After that, it's permanently deleted from our servers and backups per your GDPR request.

Q.What's the recovery time in case of an outage?▼

Our RTO is 4 hours and our RPO is 24 hours. In plain English: in case of major incident, you recover your data as it was at most 1 day ago, fully operational within 4 hours.

Q.Can GESPO see my password?▼

No. Passwords are hashed with bcrypt (a non-reversible cryptographic algorithm) before they reach the database. Not even our admins can read them.

Q.What do you do during a DDoS attack?▼

Our WAF (web application firewall) absorbs attacks before they reach the servers. We have automatic failover plans between datacenters in case of saturation.

Q.Are you GDPR and Guinean law compliant?▼

Yes. We apply the same standards as the European GDPR, supplemented by specific requirements of the Guinean Labor Code, CNSS and IGT.

Q.How can I verify the platform's integrity?▼

Upon request under NDA, we provide: annual pentest report, ISO 27001 certifications of our infrastructure, and access to your company's named audit log.

Q.Can I audit my own logs in real time?▼

Yes. All critical actions (login, sensitive data edits, exports) are visible in your 'Audit' dashboard. CSV/PDF export in one click.

A question, a vulnerability to report?

Our security team responds personally within 24 hours, 7 days a week.

security@gespo.digital