IgnitionAI

Confidentiality, security and GDPR compliance

  • NDA and DPA from the first call

    We sign a non-disclosure agreement (NDA) before any access to your data, unconditionally. If the engagement involves processing personal data within the meaning of Article 4 of Regulation (EU) 2016/679 (GDPR), we add a data processing agreement (DPA) compliant with Article 28 before kickoff. The DPA sets out each party's role: controller (you) and processor (us).

  • Sovereign hosting by default

    The systems we deploy run on your infrastructure or on a French sovereign cloud (OVHcloud, Scaleway, Outscale) or a private cloud. External APIs hosted outside the EU (OpenAI, Anthropic, Google) are only used if you have explicitly approved the transfer and signed the standard contractual clauses provided for in Article 46 of the GDPR. Otherwise, we rely on self-hosting (vLLM, TGI, Ollama) on your infrastructure.

  • Data isolation between tenants

    On multi-tenant architectures serving several internal entities or several clients, we isolate data at the vector-store, retrieval and agent-memory level. Isolation is verified by automated tests on every deployment. This practice is detailed in our article on access control in an enterprise RAG.

  • Anonymisation and data minimisation

    For development and test phases, we systematically work on anonymised or pseudonymised data, applying the minimisation principle of Article 5(1)(c) of the GDPR. Raw data is only handled at deployment time in a controlled environment.

  • Traceability and auditability

    Every response generated by an AI system in production is logged with its retrieval context, its model version, its prompt and its timestamp. This practice meets the record-keeping obligation of Article 12 of Regulation (EU) 2024/1689 (AI Act) for high-risk systems. Internal auditors, DPOs and regulators can reconstruct each decision after the fact.

  • Rights of data subjects

    On systems that ingest personal data, we design the architecture to enable the rights provided by the GDPR: right of access (Article 15), right to rectification (Article 16), right to erasure — the so-called right to be forgotten (Article 17), right to portability (Article 20). On vector stores and caches, these rights are exercised without full reindexing of the database.

  • Going further

    See our editorial policy on the sourcing obligations applicable to every regulatory claim published by IgnitionAI, and our page dedicated to AI governance which details how the GDPR and the AI Act fit together.

Confidentiality, security and GDPR compliance — IgnitionAI