Your security,
our priority.

closego is built with security by design at every layer of the system.

πŸ”’ JWT HttpOnly
πŸ›‘οΈ CSRF Protection
🌍 EU Data Residency
πŸ“‹ GDPR

A solid foundation
from day one.

πŸ—οΈ

Multi-tenant isolation

Each organisation lives on its own subdomain. All data is tied to a tenant_id in the database, guaranteeing complete architectural isolation between organisations.

🌍

Data within the EU

closego's servers are located in the European Union. Your financial data never leaves European territory, complying with the GDPR's data residency requirements.

πŸ’Ύ

Automatic backups

Automatic database backups with configurable retention. In the event of an incident, data recovery is guaranteed with a recent restore point.

Robust access,
no compromises.

Every authenticated request is protected by multiple security layers working in coordination.

πŸ”‘

Short-lived JWTs

Access tokens with a 15-minute lifespan and 7-day refresh tokens. Exposure time in the event of theft is drastically reduced.

πŸͺ

HttpOnly cookies

Tokens live in HttpOnly cookies, inaccessible from JavaScript. This eliminates token theft via XSS by design.

πŸ›‘οΈ

CSRF protection

CSRF token rotated on every login, sent in an HTTP header on all data-mutating requests. Prevents cross-site request forgery attacks.

πŸ”

bcrypt password hashing

Passwords are stored exclusively as bcrypt hashes with salt. Never in plain text, never reversible.

⏱️

Authentication rate limiting

Attempt limits on login, password recovery, and code verification endpoints. Counters are stored in Redis to persist across restarts.

Your data is yours.
Always.

Multi-tenant

Complete isolation between organisations

Your organisation's data is never accessible from another tenant. The isolation is architectural, not just at the interface level.

GDPR

Export and deletion on request

We comply with the EU General Data Protection Regulation. You may request a full export or deletion of your data at any time.

Storage

Cloud-encrypted file attachments

Files (evidence, attached documents) are stored in Cloudflare R2 with access via short-lived pre-signed URLs. No direct public access ever.

Third parties

No sharing data with third parties

We do not sell data, use it for advertising, or share it with third parties. The only external services are those required to operate the platform.

Granular control
of who sees what.

Not every user in your organisation needs access to everything. closego lets you configure permissions at the level of individual actions, not just sections.

βœ“
Predefined roles: Administrator, Accountant, External consultant (read-only)
βœ“
Granular permissions by action: view, create, edit, delete per resource
βœ“
Customisable roles adapted to your team structure
βœ“
Access audit trail: historical log of who did what and when
βœ“
Company and department access: a user can have different roles in each area
Permission managementRole configuration
PermissionAdminAccountantConsultant
View dashboardβœ“βœ“βœ“
Edit tasksβœ“βœ“β€”
Manage usersβœ“β€”β€”
Configure permissionsβœ“β€”β€”
View reconciliationsβœ“βœ“βœ“
Update reconciliationsβœ“βœ“β€”

Defence in depth
at every layer.

VectorProtection applied
XSS Cross-Site Scripting
HTML sanitisation on notes and mentions using DOMPurify. img tags and style attributes are prohibited. External links automatically get rel="noopener noreferrer".
SQLi SQL Injection
Sequelize ORM with parameterised queries on all database operations. No string concatenation in queries.
CSRF Cross-Site Request Forgery
Token rotated on every login, transmitted in an HTTP header separate from the cookie. Verified on all data-mutating requests.
Brute Brute force
Rate limiting by IP and by token on authentication, code verification, and password recovery endpoints. Persisted in Redis.
SSRF Server-Side Request Forgery
External integrations (ERP, OAuth) validate that destination URLs belong to known domains on a strict allowlist.
Headers HTTP headers
Standard security headers active: X-Content-Type-Options, X-Frame-Options, strict CORS policy with an origin allowlist.

Questions about
security?

Write to us directly or check our full privacy policy.