Enterprise-grade security, built for regulated industries
Weeki protects your data with defence-in-depth security, EU-only hosting, and compliance frameworks trusted by banking, pharma, and public-sector organisations.
Security built into every layer
Four pillars of defence-in-depth protection, from physical infrastructure to application-level controls.
Infrastructure Security
Hosted exclusively on OVHcloud in France (Gravelines, Strasbourg). Dedicated tenancy available. Network segmentation, DDoS protection, and 24/7 infrastructure monitoring.
- OVHcloud FR datacentres (ISO 27001, HDS, SecNumCloud-ready)
- Virtual private cloud with network isolation
- Automated patching and hardening
- DDoS mitigation at network edge
Data Protection
Your data is encrypted everywhere — in transit, at rest, and during processing. Customer data is logically isolated and never used for model training.
- TLS 1.3 in transit, AES-256 at rest
- Customer-managed encryption keys (BYOK) on Enterprise plan
- Logical tenant isolation with strict namespace boundaries
- No use of customer data for AI model training
Access Control
Fine-grained, role-based access enforced at every layer. Integrate your identity provider for seamless, auditable access.
- SSO via SAML 2.0 and OpenID Connect
- Active Directory / Azure AD synchronisation
- Role-based access control (RBAC) with custom roles
- Mandatory MFA for all admin accounts
Monitoring & Incident Response
Continuous observability with structured incident management. Every action is logged, every anomaly investigated.
- Immutable audit logs with 12-month retention
- Real-time anomaly detection and alerting
- Documented incident response plan (< 1 h initial triage)
- Post-incident review and customer notification per GDPR Art. 33
Your data stays in Europe
Weeki is hosted exclusively on OVHcloud infrastructure in France. Customer data never leaves the EU. We offer contractual guarantees for data residency, backed by OVHcloud's sovereign cloud commitments.
- OVHcloud is a European cloud provider headquartered in France, operating under EU jurisdiction.
- All backups are geo-redundant within French territory.
- Data Processing Agreement (DPA) available on request, with Standard Contractual Clauses for sub-processors.
- Compatible with Schrems II requirements — no exposure to US CLOUD Act.
Compliance & certifications
We align with the frameworks that matter to regulated European enterprises.
General Data Protection Regulation
Full compliance with EU data protection regulation. Data minimisation, purpose limitation, right to erasure, and data portability are enforced by design.
EU Artificial Intelligence Act
Model registry, risk classification, documentation, and human oversight capabilities aligned with Art. 6 and Art. 9 obligations for high-risk AI systems.
Information Security Management
Our information security management system follows ISO 27001 controls. Formal certification is on our 2026 roadmap.
Service Organisation Controls
SOC 2 Type II audit covering Security, Availability, and Confidentiality trust service criteria is underway with completion expected H2 2026.
Digital Operational Resilience Act
ICT risk management, incident reporting, and third-party oversight capabilities support financial institutions' DORA obligations.
Network & Information Security Directive
Supply chain security, incident notification, and governance controls aligned with NIS2 requirements for essential and important entities.
Security practices
How we build, test, and operate the platform securely.
Encryption everywhere
TLS 1.3 for all data in transit. AES-256 encryption for data at rest across databases, object storage, and backups. Key rotation on a 90-day cycle.
Penetration testing
Annual third-party penetration tests conducted by an independent security firm. Critical findings are remediated within 48 hours. Summary reports available under NDA.
Vulnerability management
Continuous dependency scanning (SCA), static application security testing (SAST), and container image scanning in our CI/CD pipeline. CVEs triaged within 24 hours.
Secure development lifecycle
Code review required for all changes. Automated security checks in CI. Developers complete annual secure coding training. OWASP Top 10 coverage.
Backup & disaster recovery
Automated daily backups with geo-redundancy within France. Recovery Point Objective (RPO) of 24 hours, Recovery Time Objective (RTO) of 4 hours. Tested quarterly.
Incident response
Documented incident response plan with defined severity levels. Initial triage within 1 hour. Customer notification within 72 hours per GDPR Article 33. Post-incident reviews for all P1/P2 incidents.
Enterprise security features
Built for IT and security teams who need control and visibility.
SSO & SAML
SAML 2.0 and OpenID Connect integration. Azure AD, Okta, Google Workspace, and custom IdP support.
RBAC & Permissions
Granular role-based access control. Custom roles, workspace-level permissions, and document-level access policies.
Audit Logs
Immutable, searchable audit trail for all user actions, API calls, and admin changes. Export to your SIEM.
API Security
OAuth 2.0 API authentication. Rate limiting, IP allowlisting, and scoped API keys with automatic rotation.
Have questions?
Find Your Answers Here
Need more details?
Request our security whitepaper or schedule a dedicated review with our security team.