How Gera Thinks About Security and Privacy

Published 21 April 2026 · 10 min read · Gera Services

Quick answer: Security and privacy at Gera are infrastructure-level concerns, not per-product afterthoughts. We apply OWASP Top 10 + API Top 10 to every service; npm audit and Semgrep on every build; monthly DAST against staging; TLS 1.2+ everywhere; MFA on admin accounts; encryption at rest on all data; and per-product regulatory baselines (PCI DSS for GeraCash, HIPAA-equivalent for GeraClinic, strict-CSP for PrivacyGuard).

The principle

Security is a cross-cutting concern that only works when shared. An approach where each product re-implements auth, session management, and encryption fails at scale and leaves quiet gaps. Shared core-auth, core-payment, core-compliance, and core-storage packages carry the load, and the products consume them correctly by default.

Foundations

Authentication: OIDC-compatible, refresh-token rotation, device-bound session keys, rate-limited auth endpoints.
Authorization: policy-based, per-tenant scope, per-resource checks enforced in services — never relied on at the edge only.
Transport: TLS 1.2+ on every endpoint; HSTS with preload on core domains.
Data at rest: Neon Postgres encryption; S3/MinIO server-side encryption; KMS-managed keys.
Secrets: Railway + Vercel secret stores; never in code; rotation scheduled.
Dependencies: npm audit + Snyk + Dependabot; zero-critical-CVE policy on every build.
Static analysis: Semgrep rules + TS strict + ESLint security plugins in CI.
Dynamic analysis: OWASP ZAP monthly against staging.

Per-product baselines

GeraCash: PCI DSS. No cardholder data stored on our servers; tokenisation via Stripe / Idram / provider.
GeraClinic: HIPAA-equivalent. Encryption, audit logs, BAA-comparable arrangements with providers, role-based access.
PrivacyGuard: strict CSP + minimal permissions on Chrome extension; public transparency log.
GeraCompliance: SOC 2 roadmap active; ISO 27001 alignment.
GeraLearn / GeraJobs: student / candidate data handled with DSAR, age-gated content, explicit consent.

Privacy by default

GDPR / CCPA / PIPEDA baseline globally.
Consent logs and DSAR tooling in core-compliance.
No sensitive data in unencrypted localStorage, ever.
Analytics are PostHog self-hosted or configurable to EU data residency.
Data-broker-style retention is not our business model.

Incident response

security/INCIDENT_RESPONSE.md documents the full playbook: triage within 30 minutes, regulator notification (GDPR Article 33) within 72 hours, customer notification per severity class, post-incident public postmortem. Auto-rollback is enabled when post-deploy error rate exceeds 5%.

What we do not do

We do not sell user data. Ever. It is not a revenue line and never will be.
We do not use session-replay tools on our sites.
We do not bake third-party advertising trackers into the apps.
We do not pressure users to weaken their privacy (no dark-pattern consent flows).

How to verify our claims

Public security.txt with vulnerability-disclosure policy.
SOC 2 report (on request) via GeraCompliance once issued.
Public status page at status.gera.services.
Open-source extensions and packages auditable at geraservicesuk.