Un Pour Tous Et Tous Pour UnVoisinSOSUn Pour Tous Et Tous Pour Un

Trust, Security & Privacy

This page is maintained by the Association Un Pour Tous Et Tous Pour Un (Paris) to answer common security and privacy questions about the VoisinSOS platform. It describes controls that are currently enabled in the app. It is editable project content — it is not an independent certification or audit, and it is not issued by the hosting provider.

Shared responsibility

  • Platform (hosting provider). Provides the managed database, authentication service, file storage and serverless runtime that the app is built on.
  • Association (us). Owns the application code, access policies, member data and operational practices described below.
  • Members (you). Choose a strong password, keep your device secure, and notify us of anything suspicious.

Authentication & account access

  • Email + password sign-in, with optional Google sign-in.
  • Sessions are issued as short-lived tokens and refreshed automatically; signing out revokes the session on this device.
  • Passwords are never stored in plain text by the app — the managed authentication service handles hashing.
  • Administrator areas require an explicit admin role granted by the founder; the role is checked on the server, not in the browser.

Data protection

  • All traffic between your browser and the platform is served over HTTPS (TLS).
  • Row-Level Security is enabled on member-facing tables so that one member cannot read or modify another member's records by guessing IDs.
  • Server-side functions validate input (length, format, allowed values) before writing to the database.
  • Secrets (API keys, payment provider keys, mail credentials) are stored as server-side environment variables and are never shipped to the browser.

Payments

  • Card / PayPal payments are handled by the payment provider's own checkout — we do not see or store your card number, CVV or bank credentials.
  • The app stores only the minimum needed to reconcile a payment (order ID, amount, status, timestamp) and to issue your receipt.
  • SEPA / bank-transfer details shown on the site are the Association's own published account; the matching of incoming transfers is reviewed by an administrator.

Storage & media

  • Private buckets (member documents, SOS evidence, admin assets) are gated and require a signed, short-lived URL to download.
  • Public assets (avatars, news images, association logos) are served from public buckets and are intended to be world-readable.

Logging & monitoring

  • Server functions log errors and abuse signals (rate-limit hits, failed admin checks) to a restricted log table; access is limited to administrators.
  • Sensitive actions (role changes, mass deletions, SOS escalations) trigger an administrator notification.

Your data rights (GDPR)

  • You may request a copy of your data, correction of inaccurate data, or deletion of your account at any time.
  • Account deletion removes your profile and personal records; some accounting and legal records are retained for the period required by French law.
  • See the full Privacy Policy for the lawful bases, retention periods and processors used.

Reporting a security issue

If you believe you have found a security vulnerability, please email contact@unpourtousettouspourun-asso.fr with a description and steps to reproduce. Please do not publicly disclose the issue until we have had a reasonable opportunity to fix it. We do not currently operate a paid bug-bounty program.

Compliance

We follow the GDPR for personal data of EU residents. We do not currently claim SOC 2, ISO 27001, HIPAA or PCI-DSS certification for the Association itself; card data is handled by the certified payment provider.

Last reviewed: 2026-06-17. This page is published by the Association and may be updated without notice as the platform evolves.