GDPR charter

This charter complements our privacy policy. It describes the concrete commitments Hexceos makes regarding personal data we process — both that of our prospects and clients, and that of end users whose data our clients entrust to us as part of our services.

1. Data sovereignty

No personal data from our clients or their users leaves the European Union without explicit agreement. Our primary infrastructure is our sovereign datacenter in France (Île-de-France and Occitanie). Our Quebec presence hosts Canadian data in compliance with Law 25 and PIPEDA.

None of our critical technical processors is subject to extraterritorial laws (US Cloud Act, Chinese surveillance laws). When we use third-party services for peripheral functions (CRM tool, helpdesk), we prioritise European actors and systematically apply end-to-end encryption and BYOK architectures.

2. Minimisation and purpose

We strictly apply the minimisation principle — we only collect data strictly necessary for the pursued purpose. We avoid asking for "just in case" fields, even when they would be commercially useful.

No data is used for any purpose other than the one for which it was collected, without prior notice to the concerned persons and, where appropriate, collection of their consent.

3. Security by default

Personal data is protected by standardised technical and organisational measures across our entire perimeter:

• Systematic encryption at rest (AES-256) and in transit (TLS 1.3).
• Phishing-resistant multi-factor authentication on all administrator accounts.
• Least-privilege access control, quarterly access reviews.
• 24/7 monitoring by our internalised SOC with EDR/XDR Hexceos Sentinel deployed across the entire fleet.
• 3-2-1 immutable backups tested quarterly.
• Annual independent security audits, ISO 27001, ISO 27005 and HDS certifications on the relevant scope.

4. Subcontracting

The full list of our subcontractors with access to personal data is maintained and shared with any client who requests it at [email protected]. Each subcontractor is subject to:

• A subcontracting agreement compliant with article 28 of the GDPR.
• An initial assessment of their cybersecurity and legal maturity.
• An annual compliance review.
• A right to prior notification in case of subsequent subcontractor change.

5. Rapid incident notification

In case of a personal data breach likely to result in a risk to the rights and freedoms of concerned persons:

• Notification to the CNIL within 72 hours (often within 24 h in practice, as our incident reviews demonstrate).
• Direct and understandable information to concerned persons when the risk is high.
• Our forensic report made available to competent authorities and concerned clients.

For client missions, the notification delay between Hexceos and our client is contractual and below 24 hours for critical incidents.

6. Data subject rights — beyond the minimum

Beyond the rights provided by the GDPR (see privacy policy), we commit to:

• Respond to data subject requests within 30 days (often within 10 days in practice).
• Never use the one-month regulatory deadline as a systematic policy.
• Provide a free full copy of the data held, including for repeated requests if they are reasonable.
• Facilitate portability via standard formats (JSON, CSV) rather than unstructured PDF.

7. Data Protection Officer

Hexceos has designated a Data Protection Officer (DPO) who ensures the compliance of all our processings and acts as the privileged point of contact for any personal data question.

Data Protection Officer
Gaëtan Maiuri
Email — [email protected]

8. Transparency commitment

We publish this charter not because it is legally required, but because we consider transparency an essential dimension of the trust relationship with our clients and the end users whose data we are entrusted with. We update it at every significant change in our practices.

For any question, suggestion or complaint regarding this charter, you may write to us at [email protected].