Platform Controls
Architecture and Data Segregation Costory operates on a multi-tenant architecture designed to segregate and restrict access to the data you and your users share via our platform, based on business needs.Public Cloud Infrastructure
Costory’s services are hosted on public cloud infrastructure and use the secure platform provided by Google Cloud Platform (GCP). The complete list of subprocessors is available in our Subprocessors list.Audits and Certifications
Audits We conduct regular security assessments through both internal personnel and external security firms. These assessments include periodic and targeted audits of our platform to identify and mitigate vulnerabilities. Automated scanning of our web application is continuously employed to maintain security standards.Certifications
Costory aligns with industry best practices and standards. Our cloud providers, GCP, maintain certifications such as ISO 27001 and SOC 2 Type II, ensuring that our infrastructure meets rigorous security requirements.Security Controls
Access Logging and Management Detailed access logs are maintained and available to our administrators. We log every account sign-in attempt, including the device type and IP address. Administrators can remotely terminate sessions and sign out authenticated devices as needed.Data Retention and Encryption
Customer data is encrypted both in transit and at rest using GCP’s proprietary services. Data retention policies are customizable, allowing for the secure deletion of data based on customer-defined durations.Network and Host Management
Our network is protected by firewalls configured according to industry best practices. Two-factor authentication (2FA) is enforced for all server access. Automated vulnerability scans are performed on our production environments, with remediation conducted promptly as needed.Product Security Practices
All new features and major updates undergo a thorough security review process. Automated and manual code reviews are conducted to ensure the highest security standards are maintained throughout the development lifecycle.Intrusion Detection and Incident Management
Intrusion Detection Costory, along with authorized external entities, monitors its platform for unauthorized intrusions.Security Logs
Logs from systems and applications accessing customer data are maintained in Google Cloud Storage (GCS) and are backed up regularly. These logs are analyzed for security events using automated monitoring tools. Access to logs is restricted and follows stringent security protocols.Incident Management
Costory maintains a comprehensive incident management policy, which includes procedures for timely notification of impacted customers in the event of a data breach. We are committed to transparency and will provide status updates through appropriate channels during any significant security incidents.Data Handling and Confidentiality
Data Encryption Data transmitted between Costory and our customers is encrypted using industry-accepted encryption protocols. We closely monitor advancements in cryptographic standards to ensure that our encryption practices are up to date and secure.Reliability, Backup, and Business Continuity
Costory’s infrastructure is designed to be fault-tolerant, with automated backups and replication to ensure high availability and quick recovery from potential disasters. We rely on Render and GCP’s serverless systems to provide automatic failover and maintain high reliability across our services.Personnel Practices
Confidentiality and Training All employees are required to sign confidentiality agreements and undergo security training as part of their onboarding process. Regular security awareness training is conducted to ensure all personnel are up to date on the latest security practices and policies.Infrastructure Security
We utilize Google Workspace for secure employee authentication, including 2FA. Additionally, our infrastructure relies on Clerk for secure management of customer credentials and authentication, ensuring compliance with best practices for login security.Data Management
Data Return and Deletion Customers may request the return of their data within 30 days after contract termination. Data deletion is conducted securely and promptly in accordance with our data retention policy, ensuring that no residual data remains on our production systems after deletion.Q&A
Is there a CISO and DPO?
Is there a CISO and DPO?
Tanguy Compagnon de la Servette, co-founder and CTO, acts as the CISO and DPO. Formal security policies and procedures are in place and enforced.
What authentication is in place?
What authentication is in place?
Our application is secured using Clerk (https://clerk.com/), which provides state-of-the-art security and is used by leading companies. Clerk provides access logs that are reviewed regularly by our CTO. Most clients choose OAuth authentication with Google or Microsoft providers. We also offer passwordless authentication. If password authentication is chosen, we configure Clerk’s strongest password policy. We also provide an elevated “Admin” role for organization administrators to manage team members. Our backend is authenticated by Google Workspace using role-based permissions.
What is our backup policy?
What is our backup policy?
Data is stored on GCS and regional BigQuery, which offer time travel, delete protection, and replication across multiple availability zones. Code is stored in GitHub, including the infrastructure layer as IaC (Terraform).
What's our security audit policy?
What's our security audit policy?
An external pentest has been conducted in 2025, and results are available for clients upon request.
Is data deleted after termination of the service?
Is data deleted after termination of the service?
Yes, upon termination of service, we have a defined process to delete churned client data. This involves securely deleting the client’s data from their dedicated BigQuery datasets and the associated Google Cloud Storage (GCS) bucket. This ensures that all structured and unstructured data tied to the client is permanently removed from our systems.We plan to formalize this into a documented data deletion policy, with audit logs and retention period controls to further align with regulatory and client expectations.