closego is built with security by design at every layer of the system.
Each organisation lives on its own subdomain. All data is tied to a tenant_id in the database, guaranteeing complete architectural isolation between organisations.
closego's servers are located in the European Union. Your financial data never leaves European territory, complying with the GDPR's data residency requirements.
Automatic database backups with configurable retention. In the event of an incident, data recovery is guaranteed with a recent restore point.
Every authenticated request is protected by multiple security layers working in coordination.
Access tokens with a 15-minute lifespan and 7-day refresh tokens. Exposure time in the event of theft is drastically reduced.
Tokens live in HttpOnly cookies, inaccessible from JavaScript. This eliminates token theft via XSS by design.
CSRF token rotated on every login, sent in an HTTP header on all data-mutating requests. Prevents cross-site request forgery attacks.
Passwords are stored exclusively as bcrypt hashes with salt. Never in plain text, never reversible.
Attempt limits on login, password recovery, and code verification endpoints. Counters are stored in Redis to persist across restarts.
Your organisation's data is never accessible from another tenant. The isolation is architectural, not just at the interface level.
We comply with the EU General Data Protection Regulation. You may request a full export or deletion of your data at any time.
Files (evidence, attached documents) are stored in Cloudflare R2 with access via short-lived pre-signed URLs. No direct public access ever.
We do not sell data, use it for advertising, or share it with third parties. The only external services are those required to operate the platform.
Not every user in your organisation needs access to everything. closego lets you configure permissions at the level of individual actions, not just sections.
img tags and style attributes are prohibited. External links automatically get rel="noopener noreferrer". X-Content-Type-Options, X-Frame-Options, strict CORS policy with an origin allowlist. Write to us directly or check our full privacy policy.