This document describes the technical and organizational measures (TOMs) adopted by Gitogi Srl to ensure a level of security appropriate to the risk in the processing of personal data, pursuant to Art. 32 of Regulation (EU) 2016/679 (GDPR). These measures apply to all services delivered through the gitogi.com platform and form an integral part of the data processing agreements (DPA) entered into with our clients.
This document is available in Italian and English. In case of discrepancy between the two versions, the Italian text prevails.
Last updated: 12 April 2026
1. Data encryption
- Encryption in transit: TLS 1.2+ on all connections (HTTPS, WebSocket, database, external APIs)
- Encryption at rest: PostgreSQL database with storage-level encryption (AES-256) provided by Supabase/AWS
- API keys and credentials stored as encrypted environment variables, never in source code
- Authentication session tokens (Supabase Auth) signed with JWT and transmitted via httpOnly cookies with Secure and SameSite flags
2. Access control
- User authentication via Supabase Auth with magic link OTP (no passwords stored)
- Role-based access control (RBAC) with member, moderator, admin roles and tier system (free, literacy, consultant, fcaio)
- Row Level Security (RLS) on all PostgreSQL database tables: each user accesses only their own data
- Administrative access limited to specific email addresses (ADMIN_EMAILS) with server-side verification
- Rate limiting on all API endpoints via Upstash Redis (per-message and daily limits)
- Anti-bot protection via Google reCAPTCHA Enterprise on registration and contact forms
3. Pseudonymization and minimization
- Lead scoring based only on aggregated behavioral signals; no GDPR Art. 9 data used
- Chat analysis anonymized after 90 days (automatic retention)
- AI audit logs with anonymized inputs (no cleartext PII in logs)
- Consent logs with snapshot of text shown to user at time of consent (Art. 7.1 accountability)
- Data minimization: only data strictly necessary for each purpose is collected and transmitted to sub-processors
4. Resilience and business continuity
- Database hosted on Supabase with automatic daily backups and point-in-time recovery
- Application deployed on AWS Amplify with multi-AZ redundancy and auto-scaling
- Circuit breaker on all AI providers and email services: automatic fallback on primary provider failure
- Real-time error monitoring via Sentry with automatic alerting
- Documented disaster recovery procedure (docs/DISASTER_RECOVERY.md)
5. Regular testing and assessment
- Automated test suite: 171 unit tests (Vitest) + 5 E2E specs (Playwright) run on every deployment
- Input validation on all endpoints with Zod schema validation
- Quarterly bias test on lead scoring algorithm (next: July 2026)
- Semi-annual review of sub-processor registry and DPAs (next: August 2026)
- Mandatory code review for every production code change
6. Organizational measures
- Staff trained on GDPR, AI Act, and cybersecurity (Art. 4 AI Act — AI Literacy)
- AI model training opt-out activated on all services: Anthropic (Claude), OpenAI (ChatGPT Business + API), Perplexity Enterprise Pro
- Need-to-know policy: access to client personal data limited to staff directly involved in service delivery
- DPIA completed for lead scoring system (docs/DPIA_LEAD_SCORING.md); DPIAs planned for AI chatbot, Aegis, and AI consulting
- Incident response and data breach notification procedure compliant with Art. 33-34 GDPR (72 hours to Garante, without delay to data subjects if high risk)
7. Data subject rights exercise
- Self-service panel for data export (Art. 20 — portability) and account deletion (Art. 17 — erasure) accessible at /i-tuoi-dati
- Consent management panel with complete history and per-purpose revocation accessible at /i-tuoi-consensi
- Identity verification via email + temporary code before sensitive GDPR operations
- Cascading deletion across 20+ database tables with audit trail and sub-processor notification
- Fiscal data (billing) retained for 10 years as required by D.P.R. 633/72; orphaned after account deletion (userId → NULL)
Certifications and reference standards
The measures adopted are aligned with the principles of ISO/IEC 27001:2022 (Information Security Management Systems). Gitogi Srl periodically evaluates the opportunity to achieve formal certification and documents internal gap analyses. Selected sub-processors (Supabase, AWS, Anthropic) maintain SOC 2 Type II and/or ISO 27001 certifications.
Review schedule
These security measures are subject to semi-annual review. The next review is scheduled for August 2026. Any significant updates will be communicated to clients with an active DPA and reflected on this page with an updated modification date.
Contact
For questions regarding security measures or to request additional documentation, contact: privacy@gitogi.com.
See also: Data Processing Agreement (DPA) | Sub-Processor List | Privacy Policy