Security

Pamoja.ai by Galago is designed to support GDPR requirements and the trust expectations of foundations, schools and trusts handling student, donor and academic data. This page summarises the practical measures in place today. It is not a certification claim.

• Role-based access control — admin, staff (volunteer), donor (sponsor), school and student / alumni roles, each with the minimum permissions required for their job.
• Per-organisation data separation — every record is scoped to a tenant (foundation_id) and access is enforced server-side, including via Postgres row-level-security policies.
• Authentication — passwordless magic-link login by default; multi-factor authentication available for admins.
• Principle of least privilege — service accounts and API keys are scoped to the narrowest permission set that lets them function.

• EU-based primary storage — Supabase (Frankfurt, eu-central-2) for the database, authentication and file storage.
• Edge delivery — Vercel’s edge platform with HTTPS-only access and HSTS.
• Encryption — TLS in transit; at-rest encryption provided by the underlying managed services.

• Audit log — admin-visible audit trail covering authentication events, role changes, sensitive admin actions and data exports.
• Error tracking — Sentry, with PII scrubbing in stack traces where reasonably possible.
• Email deliverability events — Resend webhooks (delivered / bounced / complained / unsubscribed) feed into an audit-friendly communications log.

Database backups rely on Supabase’s managed point-in-time recovery for the duration provided by the underlying plan. Specific recovery objectives can be agreed in a customer-specific annex.

• Customers can export their data at any time during the subscription via the in-app exports surface or by written request.
• On termination, an export window (typically 30 days) is offered before deletion in line with the DPA.
• Customers can request deletion of specific records during the subscription term.

• Mediated messaging — donor / student communication is mediated by the platform. Personal contact details (phone, personal email) are not exposed by default.
• Moderation — optional moderation flow for messages before delivery.
• Audit trail — every message stored with sender, recipient, status and timestamp, viewable by foundation admins.
• Take-down — foundation admins can remove a user, mute a thread or take down a record at any time.

• Secrets stored as environment variables in the deployment platform (not committed to source).
• Production database access restricted to the operator and the managed-platform vendor.
• Dependency updates and security advisories monitored continuously.

We track the following enhancements on the roadmap and will update this page as they ship: formal SOC 2 / ISO 27001 alignment, a publicly-published vulnerability-disclosure policy, and configurable per-tenant data-retention rules.

Suspected vulnerabilities or security incidents should be reported to marcbonischarancle@gmail.com with the subject prefix [security]. We will acknowledge receipt within two business days and coordinate a remediation timeline.