Security and confidentiality policy

At Koncile, the protection of your personal data and the security of our infrastructure are at the heart of our commitments. We implement high technical and organizational standards to ensure the confidentiality, integrity, and availability of the information processed on our platform.

Our security policy outlined below details all the measures in place to prevent unauthorized access, data loss, or alteration, relying on proven technologies, strict protocols, and a security culture shared by the entire team.

At the same time, our privacy policy and GDPR compliance ensure the responsible use of personal data, in accordance with the General Data Protection Regulation (GDPR) and applicable French legislation. In particular, we ensure that only the strictly necessary data is collected, limit its use to legitimate purposes, and provide each User, Client, or Visitor with effective control over their rights.

This policy aims to inform you transparently about our practices, obligations, and your rights, whether you are a Client, User of our Services, or a Visitor to our public website.

Terms starting with a capital letter and not defined in this security and privacy policy have the meaning given to them in the applicable contractual documents, namely the Subscription Agreement and the General Terms of Use.

Security policy

This list may be amended by Koncile at any time, provided that such modifications do not substantially reduce the level of security set forth in this document. Any modification will be communicated to the clients and testers of the service.

I. Technical Security Measures

Authentication

• Unique user IDs and passwords per user (including: strong authentication, limit of 5 login attempts before blocking, periodic password renewal, secure password storage)
• Optional two-factor authentication (2FA)
• Logging of access, anomalies, and security-related events

Access Logging and Incident Management

• Protection of logging equipment from unauthorized access
• Log retention for 12 months
• Regular review of event logs
• Detailed incident response plan, including procedures for various scenarios
• Regular staff training on incident response procedures
• Access to data is restricted to authorized personnel only, strictly as necessary for development or maintenance purposes, and is performed internally using 2FA authentication.
• Access is granted based on appropriate justification.

Resilience, Backup, and Data Availability

• Data replicated across two nodes for databases and two nodes for AWS storage
• Hosting on a specific datacenter
• Automatic server failover capability
• Weekly backups
• Weekly verification of recovery procedures
• HTTPS encryption of backups during transfer
• Backup replication protected by AWS access rights management

Hosting & Network

• Hosting provided by Amazon Web Services on servers located in the EU, ISO 27001 and SOC 2 certified
• End-to-end HTTPS encrypted transmission between servers and third parties
• Functional division of Koncile's network into sub-networks for security purposes: separation of test and production environments
• Koncile back-office isolated from the internet except for a single proxy entry point
• Server synchronization via an AWS server
• Web and Wi-Fi network segmentation (HTTPS, TLS)
• Restricted access to admin tools and interfaces
• Immediate deployment of critical updates

Data and Flow Security

• Malware attachment detection tool
• Data encryption (hashing, secret key protection, etc.)
• Intrusion Detection System (IDS) to monitor network traffic and detect abnormal or suspicious activity in real time
• Encryption of hosted data
• Data transfer using TLS/SSL with HSTS and perfect forward secrecy

Physical Security of Premises and Storage Sites

• Intrusion alarm
• 24/7 video surveillance
• Access control (badges, locked doors and cabinets, retention of physical access logs for 45 days)
• Visitor supervision

Collaborative Security Program

Koncile authorizes responsible and controlled vulnerability research, provided it does not compromise the availability of services, or the integrity and confidentiality of data. All testing must exclude social engineering, the use of real data, denial-of-service attacks, or any tests involving third-party systems. Vulnerabilities can be reported to contact@koncile.ai, with a clear description and reproducible steps. Koncile commits to acknowledging receipt within 72 hours and to handling the report seriously, in collaboration with the researcher, in a constructive and cooperative spirit.

In-scope targets: Koncile’s public website (https://www.koncile.ai/), public API (https://api.koncile.ai/), application (https://app.koncile.ai/), and documentation (https://docs.koncile.ai/). Test credentials or an API key can be provided through the application upon request.

II. Organizational Security

Personnel

• Background checks for candidates in compliance with regulations
• Confidentiality obligations and IT charter
• Mandatory security training for employees
• Access rights management
• Definition of access profiles
• Deactivation of unnecessary access rights
• Staff awareness and confidentiality regarding data
• Staff awareness of privacy and data protection risks
• Employee confidentiality commitments
• Anonymous whistleblower channel available to report inappropriate behavior or suspected violations

Continuity of Services

• Procedure for Security Events
• Transmission of security events to a dedicated person (CTO), and to a second person ("techlead") in the event of the CTO's absence.
• Analysis of the event by a member of the emergency response team.
• In-depth review by the maintenance team, relevant services, and notably the legal and communication departments.
• Automation of security updates to ensure the rapid application of patches.
• Restoration testing from backups to ensure their effectiveness in the event of a disaster.

Digital Resources

• Centralized device security policy (inventory, auto-lock, password complexity, firewall, installation restrictions, automatic updates)
• Centralized tool policy for data processing by type and classification
• Controlled access to source code
• Peer review of code changes
• Centralized access rights across all SaaS tools
• In case of subcontracting: verification of security and compliance

Audits

• AWS CloudTrail audits to assess security of the Koncile application and its infrastructure
• Compliance committee to continuously monitor regulatory obligations

Privacy and GDPR Policy

When you interact with Koncile as part of accessing our Services, or as a visitor, i.e., a person browsing Koncile's public websites, namely https://www.koncile.ai and its subdomains (hereinafter, the "Visitors"), certain personal data may be processed by Koncile.

This privacy policy aims to inform, when Koncile acts as the data controller, about the data processing it carries out, both for Clients and potential Clients in the context of using the Services, and for Visitors while browsing our public websites.

Collection, Processing and Storage of Personal Data

Koncile is committed to protecting the confidentiality of its Clients, Users, and Visitors, and to using their personal data in accordance with Regulation (EU) 2016/679 (the "GDPR") and French law no. 78-17 of January 6, 1978, as amended, relating to data processing, files, and freedoms (together, the "Applicable Regulations").

Koncile never sells personal data and only shares it with third parties acting on its behalf, solely for the purpose of providing its Services, in accordance with the Applicable Regulations.

Categories of Personal Data Collected

Koncile may process the following categories of Personal Data:

• Website Visitor Data: IP addresses, the region or general location from which your computer or device accesses the Internet, browser type, operating system, as well as other data related to site usage, including the history of pages viewed.
• Identification Data: First name, last name, professional email address, phone number, username, and user password.
• Connection Data: IP address, login logs, timestamps, API used.
• Billing Data: Payment information stored by Koncile or a payment provider (Stripe).

Appointment of a Data Protection Officer and Subprocessing

To ensure the company’s compliance with the General Data Protection Regulation (GDPR) and to effectively safeguard personal data, a Data Protection Officer (DPO) has been appointed. Acting independently, the DPO advises management and teams on regulatory obligations, monitors GDPR compliance within the organization, and serves as the primary point of contact with supervisory authorities. The DPO is also responsible for handling data subjects’ requests concerning their rights.

Koncile may share Personal Data with technical subprocessors, strictly to the extent necessary for the delivery of its Services. Koncile is committed to working only with subprocessors who provide sufficient guarantees in terms of security and GDPR compliance. These subprocessors must demonstrate their ability to implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data. Furthermore, all data must be stored exclusively within the European Union.

In accordance with Article 28 of the GDPR, a data processing agreement is systematically concluded with each subprocessor. This agreement specifies the subject and duration of the processing, the nature and purpose of the processing, the categories of personal data involved, as well as the subprocessor’s obligations regarding confidentiality, security, data breach notification, assistance in fulfilling data subjects’ rights, and the return or deletion of data at the end of the engagement.

Before acquiring or deploying any new IT equipment or system components, a verification procedure is carried out to assess their compliance with applicable regulations (particularly regarding personal data protection) and their security level. Where applicable, this assessment includes a Data Protection Impact Assessment (DPIA), along with a technical and organizational security audit. No equipment may be integrated into the information system without prior approval.

Each contract signed with a third party—whether a service provider, subprocessor, or partner—includes a specific clause on data security. This clause outlines obligations in terms of confidentiality, the measures to be implemented to ensure data security, and the procedures to follow in the event of a security incident or data breach. The contractual framework also includes a duty of prompt notification, cooperation in the event of investigations or audits, and, where applicable, the allocation of responsibilities.

Purpose and Legal Bases of Processing

Koncile processes the personal data collected via the public website or in connection with the provision of the Services, as the data controller, for the following purposes:

• Improvement of the design of the public website, diagnosing issues on our server, analyzing trends, tracking Visitor movements, and understanding user preferences.
• Management of contact requests and Service demonstrations based on pre-contractual measures.
• Creation of User Accounts and management of secure access to the Services as part of the execution of a Subscription Agreement.
• Billing and subscription management, in accordance with the execution of the Subscription Agreement.
• Technical maintenance and management of service interruptions, based on Koncile’s legitimate interest in ensuring the continuity of its Services.
• Sending of marketing and prospecting communications (including newsletters), based on our legitimate interest in promoting our Services.

If the personal data necessary for the execution of the agreement is not provided, Koncile will not be able to fulfill its contractual obligations.

Data Retention Periods

Koncile retains personal data for the following periods:

• Identification data is retained for the duration of the contractual relationship and for up to three (3) years after its termination for commercial prospecting purposes.
• Connection data is retained for a maximum period of 12 months for security and maintenance purposes.
• Billing data is retained for the duration of the subscription and the applicable statutory limitation periods.

Rights of Data Subjects

In accordance with Applicable Regulations, Users have the following rights:

• Right of access, rectification, and erasure of their personal data;
• Right to restrict processing or object to processing;
• Right to data portability;
• Right to define directives regarding the retention, erasure, and communication of their personal data after their death.

Users may also withdraw their consent at any time by sending a request to dpo@koncile.ai. In the event of the deletion of a User Account, Koncile may retain certain personal data to comply with its legal obligations.

If you believe that your rights are not being respected, you have the option to file a complaint with the competent supervisory authority (in France, the CNIL).

Changes to the Privacy Policy

Koncile reserves the right to modify this privacy policy to comply with legal or technical developments. We may notify you of any significant changes to this privacy policy, prior to the effective date of the changes, by sending you an email or through any other reasonably visible and accessible means.

Therefore, we recommend that you regularly review this privacy policy.