Security & Compliance

A platform built for B2B requirements

GroundCam protects your sessions, your visual evidence and your customer data with a 100% European infrastructure, systematic encryption and declarative GDPR compliance.

Four pillars

100% EU hosting

Applications, databases and files hosted in Europe.

Strong authentication

MFA, SSO Microsoft Entra ID and Okta, granular roles.

Encryption in transit & at rest

TLS 1.3, HSTS preload, at-rest encryption for files and database.

GDPR compliance

Data minimization, explicit consent, guaranteed user rights.

Hosting & infrastructure

The entire platform runs on Tier-1 cloud infrastructure located in the European region.

Exclusive European region

Application hosting in France and multi-zone EU database storage. No customer data leaves the European Union under nominal operation.

Global CDN with DDoS protection

Worldwide content delivery network for performance, with automatic DDoS protection and HTTP/HTTPS filtering rules.

Strict multi-tenant isolation

Logical separation of data between organizations enforced server-side. File and data access goes exclusively through authenticated server routes — never any direct browser access to storage.

Technologies used

Here are the categories of technologies GroundCam relies on.

HD web video platform

Real-time video and audio streaming via a European operator. End-to-end encrypted sessions.

International SMS gateway

Invitation links sent by SMS via a certified telecom operator, with worldwide coverage.

PCI-DSS L1 payment processor

Card and SEPA transfer payments through a PCI-DSS Level 1 certified processor. No card data ever transits our servers.

Transactional SMTP provider

Transactional emails (notifications, invoices) via an SMTP provider with SPF, DKIM and DMARC authentication.

Application monitoring

GDPR-compliant monitoring and error tracking platform, technical data only (no personal data).

Opt-in behavioral analytics

Behavioral analytics tool, enabled on consent, no third-party cookies, anonymized.

Anti-bot protection

Cookie-less CAPTCHA system protecting sensitive forms.

Authentication & access control

Password policy

Passwords stored as bcrypt hashes, never in clear text. Reset via time-limited link.

Multi-factor authentication (MFA)

OTP code by email to strengthen sign-in. Available on every account.

SSO Microsoft Entra ID & Okta

Centralized sign-in via SAML/OIDC with your corporate directory. Administrator provisioning.

Granular roles

Four access levels: owner, administrator, agent, read-only. Audit log for sensitive actions.

Encryption & data protection

TLS 1.3 + HSTS preload

All connections enforce HTTPS with HSTS preload (max-age 2 years). No cleartext traffic.

At-rest encryption

Databases and file storage encrypted at rest by default by cloud providers.

Hardened security headers

Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Permissions-Policy strictly configured.

Server-only storage

No direct browser access to storage. Every read/write goes through an authenticated server endpoint.

Secret management

API keys and tokens stored in encrypted environment variables. Timing-safe comparisons to resist timing attacks.

Strict input validation

Zod schemas on every API route. Magic-byte verification for uploads. SSRF protection on outgoing webhooks.

GDPR & privacy

Data processed exclusively in the EU

Application hosting and databases in the EU region. Euro-zone restriction for payments (EUR + SEPA zone).

Data minimization

We collect only the data needed for the service: profile, video sessions, session-related captures, billing data.

Limited retention

Video sessions are not recorded by default. Captures and logs are kept according to your plan (from 30 days to 1 year).

User rights

Access, rectification, erasure, portability: these rights can be exercised from the dashboard or by contacting our team.

For more details:

Frequently asked questions

Does GroundCam undergo security audits?: We continuously apply security best practices: peer code review, strict input validation, error monitoring, regular dependency updates. For specific external certification requests, contact us.
Where are videos and screenshots stored?: Video sessions transit live between participants and are not recorded by default. Screenshots are encrypted at rest on storage hosted in the EU region, accessible only via authenticated server-only URLs.
How are you notified of a security incident?: Our infrastructure automatically reports anomalies through our monitoring platform. In case of an incident impacting personal data, we notify affected customers and the CNIL within the legal GDPR deadlines.
How can I delete my data?: You can deactivate your account from the dashboard. For full erasure (GDPR right to be forgotten), contact us: we proceed with deletion within 30 days in accordance with the regulation.

A specific security question?

Our team handles technical clarifications, customer audits and contractual requirements.

Four pillars

100% EU hosting

Applications, databases and files hosted in Europe.

Strong authentication

MFA, SSO Microsoft Entra ID and Okta, granular roles.

Encryption in transit & at rest

TLS 1.3, HSTS preload, at-rest encryption for files and database.

GDPR compliance

Data minimization, explicit consent, guaranteed user rights.

Authentication & access control

Password policy

Passwords stored as bcrypt hashes, never in clear text. Reset via time-limited link.

Multi-factor authentication (MFA)

OTP code by email to strengthen sign-in. Available on every account.

SSO Microsoft Entra ID & Okta

Centralized sign-in via SAML/OIDC with your corporate directory. Administrator provisioning.

Granular roles

Four access levels: owner, administrator, agent, read-only. Audit log for sensitive actions.

Encryption & data protection

TLS 1.3 + HSTS preload

All connections enforce HTTPS with HSTS preload (max-age 2 years). No cleartext traffic.

At-rest encryption

Databases and file storage encrypted at rest by default by cloud providers.

Hardened security headers

Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Permissions-Policy strictly configured.

Server-only storage

No direct browser access to storage. Every read/write goes through an authenticated server endpoint.

Secret management

API keys and tokens stored in encrypted environment variables. Timing-safe comparisons to resist timing attacks.

Strict input validation

Zod schemas on every API route. Magic-byte verification for uploads. SSRF protection on outgoing webhooks.

GDPR & privacy

Data processed exclusively in the EU

Application hosting and databases in the EU region. Euro-zone restriction for payments (EUR + SEPA zone).

Data minimization

We collect only the data needed for the service: profile, video sessions, session-related captures, billing data.

Limited retention

Video sessions are not recorded by default. Captures and logs are kept according to your plan (from 30 days to 1 year).

User rights

Access, rectification, erasure, portability: these rights can be exercised from the dashboard or by contacting our team.

Frequently asked questions

Does GroundCam undergo security audits?

We continuously apply security best practices: peer code review, strict input validation, error monitoring, regular dependency updates. For specific external certification requests, contact us.

Where are videos and screenshots stored?

Video sessions transit live between participants and are not recorded by default. Screenshots are encrypted at rest on storage hosted in the EU region, accessible only via authenticated server-only URLs.

How are you notified of a security incident?

Our infrastructure automatically reports anomalies through our monitoring platform. In case of an incident impacting personal data, we notify affected customers and the CNIL within the legal GDPR deadlines.

How can I delete my data?

You can deactivate your account from the dashboard. For full erasure (GDPR right to be forgotten), contact us: we proceed with deletion within 30 days in accordance with the regulation.