Trust & compliance

Security & data protection.

Institutional clients work with us because they trust the data, the method — and the way we operate. This page documents the commitments your DPO, your security team and your procurement office will want to verify.

🇪🇺

EU-based hosting

All production data hosted on OVH infrastructure in France (Roubaix region). No data leaves the European Union.

GDPR-compliant

Privacy-by-design. Subject access, rectification, erasure and portability are operational, not just stated.

Daily encrypted backups

Automated daily backups, encrypted at rest, with point-in-time recovery on the database.

ISO 27001 in progress

Formal Information Security Management System being implemented. Target certification: 2027.

Infrastructure

Where your data lives.

›Primary hosting: OVH (France, EU). Production servers physically located in OVH data centres, governed by EU data-protection law.
›Database: PostgreSQL on the same EU infrastructure. Encrypted connections (TLS) and credentials managed via environment variables, never committed to source.
›Backups: Daily automated backups via Plesk, with retention. Backup files are encrypted and stored separately from the live database.
›Transport: All public traffic served over HTTPS (TLS 1.2+). HSTS enabled on production domains.
›No third-country transfers: Customer institutional data is not transferred outside the EU. Sub-processors are limited, documented, and EU-based wherever feasible.

GDPR

Data protection in practice.

OSE in Africa acts as a data controller for users who hold an account on our platforms (Connect, Expert, Newsletter) and as a data processor when contractually engaged on a custom diagnostic or advisory mandate. In both cases, we honour the rights granted by the GDPR:

Right of access

Email contact@ose.africa to receive a machine-readable export of your personal data.

Right to rectification

Update profile fields directly from your account, or request a correction by email.

Right to erasure

Delete your account from settings, or request full erasure by email. Backups are purged within retention window.

Right to portability

Personal data is exportable as JSON or CSV on request.

Right to restriction

Pause processing while disputes are resolved. We will confirm in writing.

Right to object

Decline analytics tracking; cookie banner is being upgraded to fine-grained consent.

Privacy contact: contact@ose.africa. A formal DPA (Data Processing Agreement) is available on request to institutional clients prior to signature.

Application security

How we build.

›Authentication: Argon2id password hashing, short-lived JWT access tokens with rotating refresh tokens. Sessions invalidated on password reset.
›Authorization: Role- and tier-based access control on every API endpoint. Defense-in-depth on geographic gating (country-level access policies enforced both client and server side).
›Audit log: Sensitive actions (user role changes, access grants, data exports) are persisted in an audit table.
›Dependency hygiene: Production stack on Node.js LTS, Next.js LTS, NestJS, Prisma. Security patches applied promptly.
›Secret management: Credentials and tokens stored outside source control, accessed via environment variables on the server only.

Roadmap

What's next.

2026

Formal ISMS rollout

Formal Information Security Management System (policies, asset register, incident response runbook), aligned with ISO 27001 controls.

2026

Granular cookie consent

Upgrade the cookie banner to fine-grained, per-purpose consent (analytics / functional / marketing) with full audit trail.

2027

ISO 27001 certification

Target external audit and certification on the production scope (Atlas + Expert + Connect).

ongoing

Penetration testing

Annual third-party penetration test on the public-facing platforms. Last scope: 2026.

Need the full due-diligence pack?

DPA template, security overview, hosting attestation, references list — available on request to institutional clients. Speeds up your procurement cycle by 2–3 weeks.

Request the DD pack →Email security@ose.africa