OyebaQuand chacun sait
Join the list

Your data is sensitive. We handle it accordingly.

Oyeba is used to coordinate what matters to you: your home, your family, money sent back. Here is how we protect what you trust us with.

Our approach

Security is not an option at Oyeba: it's a prerequisite for the product. A platform that hosts photos of your house under construction, your family discussions and your spending decisions has to live up to that trust.

We apply the principles of least privilege, defense in depth and transparency: you know what is happening, who has access, and how.

Hosting & infrastructure

All user data is stored on servers located in the European Union (Paris, France), operated by an infrastructure partner certified ISO 27001 and SOC 2. No data is replicated outside the EU.

  • Databases and files: France (FR)
  • Replicated backups: France (FR)
  • CDN for static assets: Europe only

Encryption

In transit

All connections between your device and our servers use TLS 1.3. Obsolete versions (TLS 1.0, 1.1) are disabled. Certificates are renewed automatically every 90 days.

At rest

Databases are encrypted at rest with AES-256. Files (photos, videos, documents) are stored on an encrypted object service, with keys managed by a dedicated key management service (KMS).

Access & authentication

Your account is protected by password (hashed with Argon2id) or by a magic link sent to your email. Two-factor authentication (2FA) via a TOTP app is available and recommended for project-owner accounts.

On the Oyeba side, access to production systems is restricted to a minimal number of engineers, audited, logged, and automatically revoked on departure or role change. No Oyeba employee views the contents of your projects without your explicit request (for example for support).

Backups & continuity

  • Automatic daily database backups, kept for 30 days
  • Weekly backups kept for 90 days
  • Continuous file replication between two EU regions
  • Continuity plan tested every six months

In the event of a major service failure, the recovery time objective (RTO) is 4 hours. The recovery point objective (RPO) is 1 hour for critical data.

Monitoring & incidents

We continuously monitor our systems to detect anomalies, intrusion attempts and suspicious behavior. Any critical activity triggers an alert reviewed by our technical team within 30 minutes, 24/7.

In the event of a security incident affecting your data, we commit to notifying you within 72 hours of detection, in line with the GDPR, with a statement of facts, measures taken, and your actual exposure.

GDPR compliance

Oyeba is a data controller within the meaning of the GDPR. We have appointed a Data Protection Officer (DPO) reachable at dpo@oyeba.com.

You have extended rights over your data: access, rectification, erasure, portability, objection, restriction. See our privacy policy for details on each of these rights.

Report a problem

If you discover a vulnerability, write to us at security@oyeba.com. We commit to acknowledging receipt within 48 hours and to keeping you informed of the resolution. We follow a coordinated disclosure policy and never take legal action against a researcher acting in good faith.