[{"data":1,"prerenderedAt":297},["ShallowReactive",2],{"navigation_docs_en":3,"-en-architecture-securite":52,"-en-architecture-securite-surround":292},[4,14,32,42],{"title":5,"path":6,"stem":7,"children":8},"The essentials","/en/proposition","en/1.proposition/1.index",[9,10],{"title":5,"path":6,"stem":7},{"title":11,"path":12,"stem":13},"Your need, understood","/en/proposition/comprehension","en/1.proposition/2.comprehension",{"title":15,"path":16,"stem":17,"children":18},"Overview","/en/architecture","en/2.architecture/1.index",[19,20,24,28],{"title":15,"path":16,"stem":17},{"title":21,"path":22,"stem":23},"Technical choices","/en/architecture/stack","en/2.architecture/2.stack",{"title":25,"path":26,"stem":27},"Security & compliance","/en/architecture/securite","en/2.architecture/3.securite",{"title":29,"path":30,"stem":31},"The 19 modules","/en/architecture/modules","en/2.architecture/4.modules",{"title":33,"path":34,"stem":35,"children":36},"The 8-month plan","/en/roadmap","en/3.roadmap/1.index",[37,38],{"title":33,"path":34,"stem":35},{"title":39,"path":40,"stem":41},"The method","/en/roadmap/methodologie","en/3.roadmap/2.methodologie",{"title":43,"path":44,"stem":45,"children":46},"Vortex-Soft","/en/equipe","en/4.equipe/1.index",[47,48],{"title":43,"path":44,"stem":45},{"title":49,"path":50,"stem":51},"References — eCampus","/en/equipe/references","en/4.equipe/2.references",{"id":53,"title":25,"badge":54,"body":55,"category":54,"description":285,"extension":286,"links":54,"meta":287,"navigation":289,"path":26,"seo":290,"stem":27,"tags":54,"__hash__":291},"docs_en/en/2.architecture/3.securite.md",null,{"type":56,"value":57,"toc":277},"minimark",[58,67,72,75,179,183,186,214,218,242,246,250],[59,60,61,62,66],"p",{},"Security is not a layer added at the end. For us, it is ",[63,64,65],"strong",{},"built into the architecture itself",": the single entry through the gateway, the sealing of roles, the immutability of the log are not options — they are properties of the system.",[68,69,71],"h2",{"id":70},"defence-in-depth","Defence in depth",[59,73,74],{},"An attacker who gets past one barrier finds another behind it. Each level is independent of the others.",[76,77,78,94],"table",{},[79,80,81],"thead",{},[82,83,84,88,91],"tr",{},[85,86,87],"th",{},"Level",[85,89,90],{},"Measure",[85,92,93],{},"What it stops",[95,96,97,112,126,140,151,165],"tbody",{},[82,98,99,103,109],{},[100,101,102],"td",{},"Transport",[100,104,105,108],{},[63,106,107],{},"TLS 1.3",", hardened headers (HSTS, CSP)",[100,110,111],{},"Interception, content injection",[82,113,114,117,123],{},[100,115,116],{},"Access",[100,118,119,122],{},[63,120,121],{},"Two-factor authentication (2FA)"," on extended roles",[100,124,125],{},"Password theft",[82,127,128,131,137],{},[100,129,130],{},"Authorization",[100,132,133,136],{},[63,134,135],{},"7 sealed roles",", admin-configurable permissions",[100,138,139],{},"Privilege escalation, cross-project leaks",[82,141,142,145,148],{},[100,143,144],{},"Application",[100,146,147],{},"Strict input validation, parameterised queries",[100,149,150],{},"SQL injection, XSS",[82,152,153,156,162],{},[100,154,155],{},"Data",[100,157,158,161],{},[63,159,160],{},"Encryption at rest",", isolated secrets",[100,163,164],{},"Stolen backup or disk",[82,166,167,170,176],{},[100,168,169],{},"Traceability",[100,171,172,175],{},[63,173,174],{},"Immutable audit log"," of sensitive actions",[100,177,178],{},"Dispute, trace erasure",[68,180,182],{"id":181},"the-digital-vault","The digital vault",[59,184,185],{},"This is the room where you keep land titles, contracts and plans. Its spec is that of a vault, not a shared folder:",[187,188,189,196,202,208],"ul",{},[190,191,192,195],"li",{},[63,193,194],{},"AES-256 encryption per file"," — a distinct key for each document",[190,197,198,201],{},[63,199,200],{},"Certified timestamping"," of every deposit: a document's entry date is provable",[190,203,204,207],{},[63,205,206],{},"Double-confirmation deletion",", logged — nothing disappears silently",[190,209,210,213],{},[63,211,212],{},"PIN / biometric access"," on mobile, independent of the app session",[68,215,217],{"id":216},"continuity-surviving-the-incident","Continuity: surviving the incident",[187,219,220,229,235],{},[190,221,222,225,226],{},[63,223,224],{},"Encrypted daily backups",", 90-day retention, ",[63,227,228],{},"replication across 3 geographic locations",[190,230,231,232],{},"Recovery point (RPO) and recovery time (RTO) defined with you and ",[63,233,234],{},"contractualised",[190,236,237,238,241],{},"A ",[63,239,240],{},"restore drill actually run before go-live"," — with a report to prove it. A backup you have never restored is not a backup; it is a hope.",[68,243,245],{"id":244},"what-we-prove-before-launch","What we prove before launch",[247,248,249],"note",{},"Requirements from your specification — chapters 8 and 9.",[187,251,252,258,264,274],{},[190,253,254,257],{},[63,255,256],{},"Penetration tests"," (OWASP) run before go-live — report delivered, fixes verified",[190,259,260,263],{},[63,261,262],{},"Load tests"," at 2,000+ concurrent users — report delivered, breaking point identified and documented",[190,265,266,269,270,273],{},[63,267,268],{},"GDPR"," compliance (your European diaspora clients) and ",[63,271,272],{},"Senegalese law n° 2008-12"," on personal data protection",[190,275,276],{},"Privacy policy and terms of use built into the sign-up journey",{"title":278,"searchDepth":279,"depth":279,"links":280},"",2,[281,282,283,284],{"id":70,"depth":279,"text":71},{"id":181,"depth":279,"text":182},{"id":216,"depth":279,"text":217},{"id":244,"depth":279,"text":245},"Payments, vault, personal data — the bank-grade level required.","md",{"icon":288},"lucide:shield-check",true,{"title":25,"description":285},"fgCIvZh4jcw1pQaeijQOgXxa_GENtnsZHoh_afsmoQY",[293,295],{"title":21,"path":22,"stem":23,"description":294,"children":-1},"Every technology justified by one of your requirements.",{"title":29,"path":30,"stem":31,"description":296,"children":-1},"Full coverage of the specification, family by family.",1784147241162]