Hardened Endpoints: We use company-managed and hardened macOS devices for our teams, with enforced security baselines via Kandji MDM, including disk encryption (FileVault) and automatic security patching

Cloud Infrastructure: Our 100% cloud-based infrastructure (primarily GCP in France) is protected by VPC Service Controls, intrusion detection (IDS), and continuous vulnerability scanning

Real-time Monitoring: We use Datadog SIEM to collect and correlate logs from all services, enabling our team to detect and respond to suspicious activity immediately

Vulnerability Management: We perform annual penetration tests with Synacktiv, a French leader in security audits, and use Dependabot to track and remediate vulnerabilities in our library dependencies

Cloud Native Security (CNAPP): We utilize Wiz to provide full-stack visibility into our cloud infrastructure and automatically identifying risks.

Data Residency: Data is hosted primarily on secure Google Cloud Platform (GCP) ** infrastructure in France (Europe-West9)** to ensure strict European data sovereignty

Encryption Standards: All databases (PostgreSQL, MongoDB) and file systems use AES-256 encryption at rest

Secure Transit: All external connections to the Greenly platform are protected by TLS 1.3+ encryption-Identity & Access: We rely on Auth0 and Google Workspace SSO as our central identity providers, enforcing Multi-Factor Authentication (MFA) across all production systems. Access is granted strictly on a least-privilege, need-to-know basis and is reviewed quarterly

Role-Based Access Control (RBAC): Access rights are assigned according to specific roles (e.g., Climate Expert, Developer, Administrator) and are formally verified prior to granting

Change Management: Changes to critical systems follow a documented**Software Development Life Cycle (SDLC) **. This includes mandatory peer reviews, automated unit testing (approx. 500 tests), and visual regression testing via Cypress

Automated Backups: We perform hourly backups of customer data, which are encrypted and stored in a separate geographic region to protect against catastrophic loss

Redundancy: We utilize managed services and redundant architectures (Load Balancing and Failover) in GCP to eliminate single points of failure

DDoS Protection: Our platform is protected by Cloudflare at the edge to mitigate network and application-layer attacks

Disaster Recovery: We maintain and regularly test a formal Business Continuity Plan (BCP) ** and Disaster Recovery Plan (DRP)** to ensure service restoration within defined objectives (RTO/RPO)

Transparency: We maintain a detailed Record of Processing Activities (ROPA) and a Data Management Policy covering classification, retention, and secure deletion

Data Subject Rights: We provide documented processes to support your rights to access, rectification, and the "right to be forgotten" (deleting inactive data after 3 years)