Security & Compliance
Enterprise-grade security inherited from Cloudflare and Neon, with comprehensive GDPR compliance
Last updated: October 2025
Security Measures
Authentication Methods
GuideMode implements multiple authentication strategies with mandatory two-factor authentication (2FA):
- OAuth 2.0: GitHub, Google, GitLab authentication
- Magic Links: Passwordless email authentication
- API Keys: Bearer token authentication for programmatic access with centrally managed revocation
- 2FA Required: All administrator accounts use two-factor authentication
No passwords are stored - all authentication is delegated to trusted OAuth providers
Access Controls
- Role-Based Access Control (RBAC): Owner, Admin, Member roles
- Multi-tenant Isolation: Per-tenant role enforcement
- API Key Scoping: Keys inherit user permissions
- Session Security: HTTP-only cookies prevent XSS attacks
Incident Response Plan
- Breach Notification: Within 72 hours to affected users and authorities
- GDPR Compliance: Article 33/34 requirements
- Encrypted Data: May be exempt from notification if data is unintelligible
Data Handling
Data Encryption
At Rest
- Cloudflare R2: AES-256-GCM (automatic, zero-config)
- Neon PostgreSQL: AES-256 with AWS KMS/Azure Key Vault
In Transit
- TLS 1.2/1.3: Enforced across all services
- HTTPS Only: HTTP automatically upgraded
Privacy Protections
GDPR Compliant - Your rights under GDPR Articles 15-21:
- Right to access personal data
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability
Delete Your Account:
- Personal account: Profile Settings →
- Organization account: Organization Settings →
For other rights, contact privacy@guidemode.dev
Data Collection
What We Collect:
- Account info (name, email via OAuth)
- Session recordings (code interactions)
- Usage analytics (with consent)
What We Don't Collect:
- Passwords (OAuth only)
- Payment card info (handled by Paddle)
- Location or device fingerprinting
Cross-Border Transfers
EU Data Residency Available:
- Neon EU-hosted PostgreSQL instances
- Standard Contractual Clauses (SCCs)
- EU-U.S. Data Privacy Framework (Cloudflare)
Compliance Certifications
GuideMode inherits enterprise-grade compliance certifications from our infrastructure providers:
Cloudflare
- SOC 2 Type II (annual)
- ISO 27001:2022
- ISO 27018, ISO 27701
- PCI DSS Level 1
Fully Self-Hosted Option Available
Contact sales@guidemode.dev for commercial details about our fully self-hosted deployment option.
Additional Security Measures
Infrastructure
- DDoS Protection
- Web Application Firewall
- Bot Protection
- Rate Limiting
Application
- Input Validation (Zod)
- SQL Injection Protection
- XSS Protection
- CSRF Protection
Operations
- 2FA on All Admin Accounts
- Audit Logging
- Automated Backups
- Dependency Scanning
Code Quality
- TypeScript Strict Mode
- Biome Linting
- Automated Testing
- Open Source (GitHub)
EU AI Act Compliance
Not Classified as High-Risk AI System
GuideMode has not declared our application as high-risk under the EU Artificial Intelligence Act.
We confirm our application does not:
- Make automated decisions affecting legal rights or safety
- Process biometric data for identification
- Perform credit scoring or risk assessments
- Deploy in critical infrastructure
GuideMode is an analytics and monitoring tool for AI coding sessions. We track and analyze interactions with AI coding assistants to provide insights and improve developer workflows. We do not make automated decisions or deploy AI systems that would fall under high-risk classifications.
Questions About Security?
We're committed to transparency and security. Contact us for more information.