Skip to content
Gestioo - Gestion municipale
Back to site
Legal documents

Security at Gestioo

Last updated: May 3, 2026

Gestioo processes documents, contracts, signatures, certificates and personal information that may include sensitive data. Security is therefore an essential component of our platform.

1. Infrastructure

Gestioo uses or may use according to configuration:

  • an OVH VPS managed with Coolify for application hosting and HTTPS routing;
  • Supabase, Montreal, QC, Canada, including possible Supabase Storage;
  • Microsoft Entra ID / Microsoft 365 for SSO;
  • Google Workspace as a future SSO provider;
  • Mapbox for address autofill;
  • Pingram.io, Montréal, QC, Canada;
  • OVH Object Storage, Beauharnois, QC, Canada;
  • Backblaze B2, Toronto, ON, Canada, as possible storage according to configuration;
  • SignatureAPI, United States, for certain signature features;
  • GlobalSign, United States, as a possible certificate or signature provider;
  • Stripe, United States, for payments.

Most application and storage infrastructure is designed to remain in Canada when possible. Some specific features may require a transfer outside Quebec or Canada.

2. Security measures

Gestioo applies reasonable measures, including:

  • encryption of communications in transit;
  • secure authentication;
  • access controls;
  • role and permission management;
  • least privilege;
  • logging;
  • technical monitoring;
  • backups;
  • logical customer separation;
  • incident response processes.

3. Administrator access

Internal access to production systems and customer data is limited to people who need it for legitimate purposes, including support, security, diagnostics, maintenance or compliance.

4. Logging

Gestioo may retain logs to secure the platform, diagnose issues, detect unauthorized access and produce signature or integrity evidence.

For signature providers, Gestioo should record sending, completion, deliverable download and the request to delete or reduce provider retention through the API after the deliverable and evidence are saved.

5. Backups

Backups are retained for up to 30 days according to applicable cycles.

According to configuration, they may be stored on OVH Object Storage, Supabase Storage or Backblaze B2.

6. Incident management

In the event of an incident, Gestioo follows a process for detection, containment, analysis, risk assessment, correction, notification when required and post-mortem.

7. Subprocessors

The list is published at https://gestioo.co/sous-traitants.

8. Reporting

To report a vulnerability or security issue: support@gestioo.co.

Do not attempt to access data that does not belong to you.

Your privacy preferences

Gestioo uses essential cookies for session, security, language and theme. Analytics and marketing remain disabled until you accept them.