Security and confidentiality policy

Effective: March 25, 2025

At Koncile, the protection of your personal data and the security of our infrastructure are at the core of our commitments. We implement high technical and organizational standards to ensure the confidentiality, integrity, and availability of the information processed on our platform. Our security policy below outlines the measures in place to prevent unauthorized access, data loss, or alteration, based on proven technologies, strict protocols, and a company-wide culture of security.

At the same time, our privacy and GDPR policy ensures the responsible use of Personal Data, in compliance with the General Data Protection Regulation (GDPR) and applicable French law. In particular, we strive to collect only the data strictly necessary, to limit its use to legitimate purposes, and to give each User, Client, or Visitor effective control over their rights.

This policy aims to transparently inform you about our practices, obligations, and your rights, whether you are a Client, a User of our Services, or a Visitor to our public website.

Terms beginning with a capital letter and not defined in this Security and Privacy Policy shall have the meaning given to them in the applicable contractual documents, including the General Terms of Use of the Account.

Security policy

This list may be amended by Koncile at any time, provided that such changes do not substantially reduce the level of security described herein. Any updates will be communicated to customers and testers of the service.

I. Technical Security Measures

Authentication

  • Unique user IDs and passwords per user (including: strong authentication, limit of 5 login attempts before blocking, periodic password renewal, secure password storage)
  • Optional two-factor authentication (2FA)
  • Logging of access, anomalies, and security-related events

Access Logging and Incident Management

  • Protection of logging equipment from unauthorized access
  • Log retention for 9 months
  • Regular review of event logs
  • Detailed incident response plan, including procedures for various scenarios
  • Regular staff training on incident response procedures
  • Access to personal data by authorized personnel only, strictly as necessary for development or maintenance, using 2FA internally
  • Access to personal data limited to the CTO and Tech Lead with appropriate justification

Data Replication and Backup

  • Data replicated across two nodes for databases and two nodes for AWS storage
  • Hosting on a specific datacenter
  • Automatic server failover capability
  • Weekly backups
  • Weekly verification of recovery procedures
  • HTTPS encryption of backups during transfer
  • Backup replication protected by AWS access rights management

Hosting & Network

  • Hosting provided by Amazon Web Services on servers located in the EU, ISO 27001 and SOC 2 certified
  • End-to-end HTTPS encrypted transmission between servers and third parties
  • Functional division of Koncile's network into sub-networks for security purposes: separation of test and production environments
  • Koncile back-office isolated from the internet except for a single proxy entry point
  • Server synchronization via an AWS server
  • Web and Wi-Fi network segmentation (HTTPS, TLS)
  • Restricted access to admin tools and interfaces
  • Immediate deployment of critical updates

Data and Flow Security

  • Malware attachment detection tool
  • Data encryption (hashing, secret key protection, etc.)
  • Encryption of hosted data
  • Data transfer using TLS/SSL with HSTS and perfect forward secrecy

Physical Security of Premises and Storage Sites

  • Intrusion alarm
  • 24/7 video surveillance
  • Access control (badges, locked doors and cabinets, retention of physical access logs for 45 days)
  • Visitor supervision

II. Organizational Security

Personnel

  • Background checks for candidates in compliance with regulations
  • Confidentiality obligations and IT charter
  • Mandatory security training for employees
  • Access rights management
  • Definition of access profiles
  • Deactivation of unnecessary access rights
  • Staff awareness and confidentiality regarding data
  • Staff awareness of privacy and data protection risks
  • Employee confidentiality commitments

Processing Map and Compliance Monitoring

  • Appointment of a Data Protection Officer (DPO)
  • Subcontracting only to processors offering sufficient guarantees under regulations
  • Data protection agreements with processors (Article 28 of GDPR)
  • Compliance and security checks of new IT suppliers
  • Contracts must include data security risk provisions and intervention protocols in case of breach

Service Continuity

  • Security incident response procedures
  • Reporting of security incidents to a designated person (CTO), and a backup person ("tech lead") in case of CTO unavailability
  • Event analysis by emergency response team
  • In-depth review by maintenance team, legal, and communication departments
  • Automated security updates to ensure rapid application of patches
  • Backup restoration tests to ensure effectiveness in case of disaster

Digital Resources

  • Centralized device security policy (inventory, auto-lock, password complexity, firewall, installation restrictions, automatic updates)
  • Centralized tool policy for data processing by type and classification
  • Controlled access to source code
  • Peer review of code changes
  • Centralized access rights across all SaaS tools
  • In case of subcontracting: verification of security and compliance

Audits

  • AWS CloudTrail audits to assess security of the Koncile application and its infrastructure
  • Compliance committee to continuously monitor regulatory obligations

Privacy and GDPR Policy

When you interact with Koncile, either as a Client or User (as defined in the General Terms of Use of the Account) using our automated document processing services, or as a Visitor — i.e., someone browsing Koncile's public websites at https://www.koncile.ai/ and its subdomains (hereinafter, "Visitors") — Koncile may process certain Personal Data.

This privacy policy aims to inform you, when Koncile acts as Data Controller, about the data processing activities we carry out for Clients and Users of the Services, as well as for Visitors of our public websites.

Collection, Processing and Storage of Personal Data

Koncile is committed to protecting the confidentiality of its Clients, Users, and Visitors, and to using their Personal Data in compliance with Regulation (EU) 2016/679 (the "GDPR") and French Law No. 78-17 of January 6, 1978, as amended, on information technology, data files and civil liberties (together, the "Applicable Regulations").

Koncile does not sell Personal Data under any circumstances and only shares it with third parties acting on its behalf, solely to provide the Services, in accordance with the Applicable Regulations.

Categories of Personal Data Collected

Koncile may process the following categories of Personal Data:

  • Public website visit data: IP addresses, region or general location of access, browser type, operating system, and other usage data, including page view history
  • Identification data: name, surname, professional email address, phone number, user ID and password
  • Connection data: IP address, login logs, timestamps, APIs used
  • Billing data: payment information stored by our payment provider
  • Personal data contained in documents uploaded by the user to use the Services

Koncile may share Personal Data with technical subcontractors, strictly as necessary to provide the Services:

  • Hosting provider: Amazon Web Services, with servers located in France
  • Online payment provider (only for data needed for client billing): Stripe, with servers located in the European Union
  • Support tool provider (for public website only): Intercom, with servers located in the European Union

We require our subcontractors not to use Personal Data for any purposes other than those contractually agreed. However, Koncile may be required to disclose Personal Data to comply with legal obligations or court orders.

Purpose and Legal Bases of Processing

Koncile processes Personal Data for the following purposes:

Regarding public website visit data: Improving website design, diagnosing server issues, analyzing trends, tracking visitor behavior, and understanding user preferences

Regarding other types of data collected:

  • Managing contact requests and service demos on the basis of pre-contractual measures
  • Creating user accounts, managing secure access, and providing data capture and analysis services as part of the Subscription Agreement
  • Billing and subscription management under contract performance
  • Technical maintenance and service continuity based on Koncile's legitimate interest
  • Sending marketing and promotional communications (including newsletters), based on our legitimate interest in promoting our Services

If the Personal Data required for contract performance is not provided, Koncile may be unable to fulfill its contractual obligations.

Data Retention Periods

Koncile retains Personal Data as follows:

  • Identification data: retained for the duration of the contractual relationship and up to three (3) years after its end for marketing purposes
  • Connection data: retained for up to 12 months for security and maintenance purposes
  • Billing data: retained during the subscription period and applicable legal retention periods
  • Unless otherwise agreed in Specific Terms, data contained in documents uploaded by users are retained for the duration of the contractual relationship

Rights of Data Subjects

In accordance with Applicable Regulations, Users have the following rights:

  • Right to access, rectify, and erase their Personal Data
  • Right to restrict or object to processing
  • Right to data portability
  • Right to define post-mortem data management instructions

Users may withdraw their consent at any time by sending a request to dpo@koncile.ai. In case of account deletion, Koncile may retain certain Personal Data to fulfill legal obligations.

If you believe your rights are not being respected, you may lodge a complaint with the competent supervisory authority (in France, the CNIL).

Changes to the Privacy Policy

Koncile reserves the right to update this Privacy Policy to reflect legal or technical changes. We may notify you of any material changes before they take effect, by email or through a visibly accessible notice. We encourage you to review this Privacy Policy regularly.

Solution

Koncile Extract

Koncile Control

Modèles d'extraction

Documentation

Blog

Documentation

Comparatif des OCR

Tout savoir sur l'OCR

Identity

Identity Document

Driving license

Proof of address

Procurement

Invoice

Quote

Receipt

Transport & Logistics

Road Transport Invoice

Maritime Transport Invoice

Express transport invoice

Real estate

Rent receipt

Legal

Residential lease

Finance & Accounting

Bank Account Details

Bank Statement

About

Security and Privacy Policy

Legal Notice

Terms and Conditions

Status

96 bis Boulevard Raspail,
Paris, 75006, France

contact@koncile.ai

+33 9 75 86 62 90

Logo Entrepreneur First en noir et blanc.Logo de la French Tech en noir et blanc.Logo de Bpifrance en noir et blanc.Logo Agoranov en noir et blanc.

@2025