SECURITY

Security you can verify,
not just trust.

Goodweek is built on a security-first architecture with certified controls, isolated infrastructure, and strict data protection practices. Everything is documented, auditable, and available for review.

SOC 2 Type I auditedGDPR CompliantSOC 2 Type II in progress
Access our Trust Center

Security controls summary

What we guarantee

Area
Control
Tenant isolation
Dedicated environments per customer, no shared data layers
Encryption
AES-256 at rest, TLS 1.2+ in transit
Access control
Role-based, approved, reviewed quarterly under least-privilege principles
Data residency
EU: AWS Paris + Scalingo · US: AWS US

Infrastructure

Secure, regionally compliant infrastructure

Hosting and data residency

  • ·EU customers are hosted on AWS Paris (eu-west-3) and Scalingo, France
  • ·US customers are hosted on AWS US regions
  • ·Data residency is enforced at infrastructure level, not managed by policy alone
  • ·High-availability architecture with automated failover

Encryption

  • ·Data at rest: AES-256
  • ·Data in transit: TLS 1.2 minimum
  • ·Applied consistently across all environments and services

AI data handling

How we use AI without compromising your data

  • Inputs sent to AI providers are limited to what is strictly necessary to process the request
  • Processed data does not persist outside Goodweek infrastructure
  • The full list of AI sub-processors is maintained and published in our Trust Center
  • AI providers operate under Data Processing Agreements: no data retention, no model training

Compliance and procurement

The benefits of AI, without the compliance risk — We make your security review process easy

Regulatory framework

  • ·GDPR-compliant data processing, with documented procedures for handling data subject rights requests (access, rectification, deletion, and portability)
  • ·Defined data retention schedules with enforced deletion at end of retention period
  • ·All sub-processors are assessed on security matters prior to onboarding and listed in our Trust Center
  • ·No data sharing or transfer without explicit contractual basis

What's available for your security review

  • DPA available on request
  • Security questionnaires accepted
  • SOC 2 Type I report available under NDA
  • Sub-processor list available in Trust Center
  • Architecture overview available for qualified reviews

Security testing

We don't assume we're secure — we verify it continuously

Testing cadence

  • ·Automated vulnerability scanning across all production systems: monthly
  • ·Third-party penetration test: bi-annually, conducted by certified external firms
  • ·Full results and remediation reports available on request
  • ·Bug bounty & ethical hacking program (coming soon)

Trust Center

Everything in one place

Direct access to:

  • SOC 2 Type I report
  • Security policies
  • Sub-processor list
  • Architecture overview
  • Cybersecurity insurance certificate
  • Security FAQ
Trust Center