Legal documents
Security at Gestioo
Last updated: May 3, 2026
Gestioo processes documents, contracts, signatures, certificates and personal information that may include sensitive data. Security is therefore an essential component of our platform.
1. Infrastructure
Gestioo uses or may use according to configuration:
- an OVH VPS managed with Coolify for application hosting and HTTPS routing;
- Supabase, Montreal, Quebec, Canada, including possible Supabase Storage;
- Microsoft Entra ID / Microsoft 365 for SSO;
- Google Workspace for SSO;
- Mapbox for address autofill;
- Pingram.io, Montreal, Quebec, Canada;
- OVH Object Storage, Beauharnois, Quebec, Canada;
- SignatureAPI, United States, for certain signature features;
- Stripe, United States, for payments.
Most application and storage infrastructure is designed to remain in Canada when possible. Some specific features may require a transfer outside Quebec or Canada.
2. Security measures
Gestioo applies reasonable measures, including:
- encryption of communications in transit;
- secure authentication;
- access controls;
- role and permission management;
- least privilege;
- logging;
- technical monitoring;
- backups;
- logical customer separation;
- incident response processes.
3. Administrator access
Internal access to production systems and customer data is limited to people who need it for legitimate purposes, including support, security, diagnostics, maintenance or compliance.
4. Logging
Gestioo may retain logs to secure the platform, diagnose issues, detect unauthorized access and produce signature or integrity evidence.
For signature providers, Gestioo should record sending, completion, deliverable download and the request to delete or reduce provider retention through the API after the deliverable and evidence are saved.
5. Backups
Backups are retained for up to 30 days according to applicable cycles.
They are stored on OVH Object Storage or Supabase Storage.
6. Incident management
In the event of an incident, Gestioo follows a process for detection, containment, analysis, risk assessment, correction, notification when required and post-mortem.
7. Subprocessors
The list is published at https://gestioo.co/sous-traitants.
8. Reporting
9570-1207 Québec inc.
Gestioo, Gestion Municipale
2260 rue KENNAN-JENCKES
Sherbrooke, Québec
Canada, J1M 0A5
To report a vulnerability or security issue: support@gestioo.co.
Do not attempt to access data that does not belong to you.
