1. Encryption and data protection
All communications with MarketingAtelier use TLS 1.3. Passwords are hashed with bcrypt and are never stored in plain text. Third-party API keys (Stripe, ESP, OAuth social networks) are encrypted with AES-256-GCM in the database, using dedicated keys per use case.
- TLS 1.3 encryption on all requests (front end, API, database).
- Passwords hashed with bcrypt, never stored in plain text.
- Stripe keys (user), ESP tokens, LinkedIn and Meta tokens: AES-256-GCM encryption in the database.
- HMAC-SHA256-signed JWTs for member sessions on published sites.
2. Infrastructure
The platform relies on three principal providers, each with its own security perimeter.
- Supabase — PostgreSQL database with Row Level Security (RLS), authentication, and file storage. European hosting (Frankfurt region).
- Vercel — application platform hosting, continuous deployment from Git. Region iad1 (United States).
- Cloudflare Pages — hosting for sites published via WebAtelier. Global CDN network.
Automatic daily backups on the Supabase side, geographical redundancy on Cloudflare, and RLS isolation at the user data level.
3. Authentication and access
- User authentication via Supabase Auth (email and password, OAuth as an option).
- Secure sessions with automatic token rotation.
- Multi-user workspaces with granular roles (admin, member, reader).
- PostgreSQL Row Level Security (RLS) applied to all tables: a user can only access their own data and that of their workspace.
- Internal production access governed by the principle of least privilege.
4. Protection of user content
Content and data generated by users (templates, CRM contacts, websites, social posts) remain their property. No data is used to train third-party AI models (Anthropic, OpenAI, Replicate, fal.ai).
- Systematic HTML sanitisation (isomorphic-dompurify) before any rendering, to prevent XSS attacks.
- Validation and sanitisation of all user input (Zod on critical APIs).
- Protection against SQL injection via Supabase parameterised queries.
- Strict security headers: Content-Security-Policy, X-Frame-Options, HSTS.
- Rate limiting on public endpoints (forms, analytics) via Upstash Redis.
5. GDPR compliance
MarketingAtelier complies with the General Data Protection Regulation. Users may exercise all of their rights at any time.
- Explicit, granular consent (by channel and message type) for CRM contacts.
- Immutable audit trail of consents (addition, modification, withdrawal).
- Right of access, rectification, erasure, and portability.
- Full data export in one click from the user area.
- Notification of data breaches within 72 hours, in accordance with the legal obligation.
Your data is never sold, never used to train third-party AI models, and never transferred outside the technical sub-processors listed in our privacy policy.
6. Incident detection and response
Monitoring is continuous via Sentry. Any anomaly triggers an alert to the technical team. The incident response procedure follows four phases:
- Detection (within 5 minutes) — monitoring systems automatically detect anomalies (server errors, latency spikes, suspicious access attempts).
- Assessment (within 30 minutes) — the technical team evaluates the severity and impact of the incident.
- Containment (within 2 hours) — isolation of the threat, rotation of secrets where necessary, and limitation of further propagation.
- Notification (within 72 hours) — communication to affected users and the relevant authorities (the CNIL, the French data protection authority, in the event of a data breach).
7. Secure development practices
- Validation and sanitisation of all user input.
- Protection against SQL injection, XSS, and CSRF attacks.
- Strict security headers (CSP, HSTS, X-Frame-Options).
- Dependencies updated regularly (automated audit).
- Separation of environments (development, staging, production).
- Mandatory code review before any production deployment.
- Automated tests on critical flows (authentication, payment, GDPR).
8. Compliance and certifications
MarketingAtelier is natively GDPR-compliant. Additional certification processes are currently under way.
- GDPR — native compliance since the platform launched.
- ISO 27001 — certification currently under evaluation.
- SOC 2 Type II — process planned for 2027.
9. Reporting a vulnerability
If you discover a security vulnerability, we ask that you report it to us responsibly. We are committed to reviewing your report, addressing the issue, and keeping you informed of the outcome.
To report a vulnerability, please use our contact form and include "Security report" in the subject line.