Security & Compliance

Enterprise-grade security leveraging Cloudflare and Neon, with full GDPR compliance

Last updated: February 2026

Security Measures

Authentication Methods

GuideMode implements multiple authentication strategies:

  • OAuth 2.0: GitHub, Google, GitLab authentication
  • Magic Links: Passwordless email authentication with HMAC-SHA256 signed tokens, 15-minute expiry, and one-time use
  • API Keys: Bearer token authentication for programmatic access with centrally managed revocation

No passwords are stored - all authentication is delegated to trusted OAuth providers

Access Controls

  • Role-Based Access Control (RBAC): Owner, Admin, Member roles with granular permissions
  • Multi-tenant Isolation: Per-tenant data isolation with foreign key constraints on all tables
  • API Key Scoping: Keys inherit user permissions
  • Session Security: HTTP-only cookies prevent XSS attacks

Application Security

  • OAuth Token Encryption: AES-256-GCM with random IV for all stored OAuth tokens
  • API Key Hashing: SHA-256 hash storage - plaintext API keys are never stored
  • Security Headers: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy
  • Content Security Policy: Strict CSP with script-src restrictions and frame-ancestors 'none'
  • Rate Limiting: IP-based authentication rate limiting and tenant-based API rate limiting
  • Webhook Verification: HMAC-SHA256 signature verification with constant-time comparison for all provider webhooks

Incident Response Plan

  • Breach Notification: Within 72 hours to affected users and authorities
  • GDPR Compliance: Article 33/34 requirements
  • Encrypted Data: Data encrypted at rest by Neon and in transit by Cloudflare may be exempt from notification if unintelligible

Data Handling

Data Encryption

At Rest

  • Cloudflare R2: AES-256-GCM (automatic, zero-config)
  • Neon PostgreSQL: AES-256 with AWS KMS/Azure Key Vault
  • Application-Level: OAuth tokens encrypted with AES-256-GCM before database storage

In Transit

  • TLS 1.2/1.3: Enforced across all services
  • HTTPS Only: HTTP automatically upgraded via HSTS

User Data Controls

You control what data leaves your machine. The GuideMode desktop app offers three sync modes:

  • No Sync: Sessions stay on your local machine only - nothing is uploaded
  • Metrics Only: Usage statistics and analytics are uploaded, but no transcript content
  • Full Transcript: Complete session data uploaded for full analytics and search

Privacy Protections

GDPR Compliant - Your rights under GDPR Articles 15-21:

  • Right to access personal data
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to data portability

Delete Your Account:

For other rights, contact privacy@guidemode.dev

Data Collection

What We Collect:

  • Account info (name, email via OAuth)
  • Session recordings (code interactions)
  • Usage analytics (with consent)

What We Don't Collect:

  • Passwords (OAuth only)
  • Payment card info (handled by Paddle)
  • Location or device fingerprinting

Cross-Border Transfers

EU Data Residency Available:

  • Neon EU-hosted PostgreSQL instances
  • Standard Contractual Clauses (SCCs)
  • EU-U.S. Data Privacy Framework (Cloudflare)

Compliance Certifications

GuideMode inherits enterprise-grade compliance certifications from our infrastructure providers:

Cloudflare Cloudflare

  • SOC 2 Type II (annual)
  • ISO 27001:2022
  • ISO 27018, ISO 27701
  • PCI DSS Level 1
View Trust Hub →

Neon

  • SOC 2 Type II
  • ISO 27001, ISO 27701
  • GDPR & CCPA
View Compliance →

Deployment Options

Interested in discussing deployment options for your organization? Contact sales@guidemode.dev to discuss your requirements.

Additional Security Measures

Infrastructure

  • DDoS Protection
  • Web Application Firewall
  • Bot Protection
  • Rate Limiting

Application

  • Input Validation (Zod)
  • SQL Injection Protection
  • XSS Protection
  • CSRF Mitigation (SameSite cookies)

Operations

  • Login Event Tracking
  • Automated Backups
  • Webhook Signature Verification

Code Quality

  • TypeScript Strict Mode
  • Biome Linting
  • Automated Testing
  • Open Source Clients (GitHub)

Vulnerability Reporting

We take security vulnerabilities seriously. If you discover a potential security issue, we encourage responsible disclosure.

What to Report

  • Authentication or authorization bypasses
  • Cross-tenant data access
  • Injection vulnerabilities (SQL, XSS, etc.)
  • Sensitive data exposure

How to Report

Email security@guidemode.dev with a description of the vulnerability, steps to reproduce, and any relevant details. We will acknowledge receipt within 48 hours and work with you to understand and address the issue.

EU AI Act Compliance

Not Classified as High-Risk AI System

GuideMode has not declared our application as high-risk under the EU Artificial Intelligence Act.

We confirm our application does not:

  • Make automated decisions affecting legal rights or safety
  • Process biometric data for identification
  • Perform credit scoring or risk assessments
  • Deploy in critical infrastructure

GuideMode is an analytics and monitoring tool for AI coding sessions. We track and analyze interactions with AI coding assistants to provide insights and improve developer workflows. We do not make automated decisions or deploy AI systems that would fall under high-risk classifications.

Questions About Security?

We're committed to transparency and security. Contact us for more information.

Contact Security Team View Privacy Policy