Sovereignty
100% of your business data hosted in France, by OVH Cloud, in European data centres. No transfers outside the EU.
Security
The security of your data, without spin
Your business data, voyages, cargoes, crews, is sensitive. Here is, concretely, what we put in place to protect it, both technically and organisationally.
The 4 pillars
Our approach, in four layers
Encryption
TLS 1.3 everywhere (transit), encryption at rest on disks, passwords with argon2id (modern algorithm, resistant to attacks).
Access control
Strict multi-tenant, PostgreSQL Row Level Security, 4 distinct roles, optional 2FA, audit log readable by the shipowner.
Continuity
Encrypted backups every hour, warm replicas across 2 data centres, tested disaster-recovery plan, RTO < 4 h and RPO < 1 h.
Hosting
OVH Cloud · French data centres
All services and all our customers' business data are hosted by OVH Cloud, a French operator certified ISO 27001 and SecNumCloud (ANSSI reference for sensitive cloud services).
Your data is distributed across the Gravelines (Hauts-de-France), Roubaix (Hauts-de-France) and Strasbourg (Grand Est) data centres, with active-active replication across two regions. No business data leaves France.
Only the fluviapro.fr marketing site is hosted on Cloudflare (worldwide CDN, free tier). The site contains only public static content, no customer data transits through it.
- Operator
- OVH Cloud (FR)
- Certifications
- ISO 27001, SecNumCloud
- Data location
- France · 100%
- Data centres
- Gravelines · Roubaix · Strasbourg
Encryption
Your data encrypted, everywhere, all the time
In transit
TLS 1.3 between your browser (or bargee tablet) and our servers. HSTS enabled. Let's Encrypt certificates renewed automatically.
At rest
Block-level encrypted disks (LUKS) on all servers. PostgreSQL Transparent Data Encryption enabled on the production database.
Passwords
Hashing with argon2id (winner of the 2015 Password Hashing Competition). Modern parameters: 64 MB memory, 3 iterations, 4 parallelism.
Secrets
Managed by self-hosted Infisical. No plain-text secrets in code, logs or backups. Key rotation every 90 days.
Access control
Strict multi-tenant, 4 roles, complete audit
Each customer organisation (shipowner) is isolated by an `organization_id` present on every business table. Filtering is enforced twice: by application code AND by PostgreSQL Row Level Security. A leak from one organisation to another is technically impossible.
Four distinct roles with granular permissions: shipowner (full administration of their organisation), bargee (onboard data entry + read access to their voyages), accountant (invoices, exports, read-only on the rest), client (shipper portal with read-only access to their cargoes).
Authentication uses short-lived JWTs (15 minutes) with refresh tokens (30 days, revocable). Optional TOTP 2FA (recommended for shipowners). Every login, every sensitive action (export, deletion, permission change) is recorded in an audit log the shipowner can consult.
Backups & continuity
No data is ever lost
Backups
PostgreSQL Point-in-Time Recovery: restore to any second within the last 30 days. Daily encrypted snapshots kept for 12 months.
Replication
Synchronous replica in a second data centre (Roubaix ⇄ Strasbourg). Manual failover < 1 h in case of a major incident on the primary region.
File storage
OVH Object Storage with geographic replication. Permits, certificates and PDF exports duplicated across 2 French regions.
Disaster recovery
Procedure tested every 6 months. Contractual objectives: RTO (Recovery Time Objective) < 4 h, RPO (Recovery Point Objective) < 1 h.
Compliance
GDPR and beyond
- GDPR: full compliance, up-to-date records of processing activities, processor agreements signed with all technical subcontractors.
- Hosting provider certified ISO 27001 and SecNumCloud (ANSSI standard for sensitive cloud services).
- Annual external security audit by an independent firm (application pentest + infrastructure review).
- Weekly software dependency audit (Snyk + Dependabot). Critical patches applied within 48 h.
- Incident management policy: qualification within 4 h, customer notification within 24 h, public post-mortem within 7 days.
Responsible disclosure
Found a vulnerability?
If you discover a security vulnerability in FluviaPro, we thank you for disclosing it responsibly to security@fluviapro.fr. We acknowledge within 24 h, qualify within 72 h, and fix critical flaws within 7 days maximum. We publicly credit contributions (with your consent) and are working on a bug bounty programme.
security@fluviapro.frQuestions about our security?
Our technical team answers all security questions (IT department questionnaires, internal audits, due diligence).