Méthode

Security and GDPR | Aurelia Data Protection

Discover how Aurelia protects your data and your candidates'. 100% EU hosting, GDPR compliance, encryption, AI Act ready.

10 min de lecture
Security and GDPR | Aurelia Data Protection

Sommaire

100% EU
Data hosting
AES-256
Encryption at rest
24 months
Recruitment data retention
72h
CNIL notification deadline in case of incident

Our commitment at a glance

"Trust is built on transparency. Here's exactly how we protect your data."

Recruitment involves sensitive data: CVs, evaluations, interview notes, candidate personal information. At Aurelia, security isn't optional, it's foundational. We apply the highest standards to protect both your data and that of candidates you recruit.

Summary of our security guarantees

AspectOur guarantee
Hosting100% European Union (Germany and France)
Legal complianceGDPR by design, AI Act ready
Encryption at restAES-256 for all stored data
Encryption in transitTLS 1.3 for all communications
Authentication2FA available, timed sessions
SubprocessorsAll GDPR compliant, DPA signed
AI trainingNever used to train models

Data location and infrastructure

Technical infrastructure

ServiceLocationFunctionCertification
Supabase / PostgreSQLAWS Frankfurt (eu-central-1)Main databaseGDPR, SOC 2
HostingerFranceNext.js application serversGDPR
CloudflareEdge EUCDN, DDoS protection, WAFGDPR, BCR
StripeEuropean UnionSecure paymentsGDPR, PCI-DSS

No data to the United States

All your data and candidate data is hosted exclusively in the European Union. API calls to Anthropic (Claude) and OpenAI (Whisper) use Data Processing Agreements (DPA) that prohibit data use for model training. Data is minimised and anonymised before sending.

GDPR compliance: the 6 respected principles

  1. 1

    Lawfulness, fairness, transparency

    Legal basis: subscription contract execution. Clear information in privacy policy. Consent requested for each specific processing.

  2. 2

    Purpose limitation

    Data collected only to provide Aurelia service, improve user experience and ensure security. We never sell your data.

  3. 3

    Data minimisation

    We collect only necessary data: recruiter identity, recruitment data (CVs, evaluations), technical security logs.

  4. 4

    Accuracy

    You can modify your data anytime. Candidates can request corrections. We fix reported errors within 30 days.

  5. 5

    Storage limitation

    Recruitment data retained maximum 24 months. Billing data: 10 years (legal obligation). Deletion on request anytime.

  6. 6

    Integrity and confidentiality

    AES-256 encryption at rest, TLS 1.3 in transit, restricted data access, regular audits, least privilege principle.

Data retention periods

Data retention register

Data typeRetention periodLegal basis
Recruiter accountSubscription duration + 1 yearContract execution
Recruitment data24 months after recruitmentLegitimate interest
Candidate CVs24 months or consent withdrawalCandidate consent
Interview transcriptionsRecruitment duration + 6 monthsCandidate consent
Security logs12 monthsLegal obligation / security
Billing data10 yearsLegal accounting obligation

Your GDPR rights

Rights of recruiters and candidates

RightHow to exercise itResponse deadline
Access your dataExport from your account or request to supportWithin 30 days
RectificationDirect modification in interface or request supportImmediate or within 30 days
ErasureOne-click account deletion or request supportWithin 30 days
PortabilityJSON/CSV export available in settingsImmediate
ObjectionContact our DPO at contact@aurelia.jobsWithin 30 days
Where exactly is my data stored?
Your data is stored in the European Union only, on two infrastructures: the main database is on AWS Frankfurt (Germany), and application servers are in France (Hostinger). Cloudflare operates on European points of presence. No data is transferred to third countries without appropriate contractual guarantees (Standard Contractual Clauses).
What happens if I cancel my subscription?
Upon cancellation, your data is retained for 30 additional days to give you time to export. You can request a complete export (JSON or CSV format) of all your data before this deadline. After 30 days, data is permanently and irreversibly deleted from our servers. Only billing data is retained for 10 years for legal accounting obligation.
How is candidate data protected?
Candidate data (CVs, interview notes, evaluations) enjoys the same security guarantees as your data. As recruiter, you are data controller for candidate data you enter in Aurelia. Aurelia is your processor. You must inform candidates that their data is processed in Aurelia (mention in your privacy policy or candidate application confirmation email).
Are you ISO 27001 or SOC 2 certified?
Aurelia isn't yet ISO 27001 certified — this is planned for 2027 roadmap when we reach critical size justifying it. However, our main subprocessors (Supabase/AWS) are SOC 2 Type II and ISO 27001 certified, covering the infrastructure hosting your data. We apply security principles recommended by ANSSI for cloud services.

Need our security documentation?

On request, we provide complete privacy policy, Data Processing Agreement (DPA), processing register and impact analysis (AIPD).

Request documentationAI according to Aurelia

Pour aller plus loin

Overview of the Aurelia 5-step method

AI and recruitment: the Aurelia approach

Aurelia privacy policy

Terms and conditions

Retour à la Méthode