Trust Center

Security, Privacy & Compliance

Everything you need to know about how we protect your data and maintain compliance

Legal Documentation

Privacy Policy

How we collect, use, and protect your personal data

Read Policy
Terms of Service

Master Subscription Agreement and service terms

Read Terms
Data Processing Agreement

GDPR-compliant data processing framework

Read DPA

Common Questions

Quick answers organized by topic

Data Storage & Location

Where is my data stored?

All customer data is stored in the European Union (AWS Paris, eu-west-3). Your data is encrypted at rest with AES-256 and in transit with TLS 1.2+.

Do you transfer data outside the EU?

Some subprocessors (OpenAI, Stripe) are in the USA. We use Standard Contractual Clausesto ensure GDPR-compliant transfers.

Can I choose where my data is stored?

EU (Paris) is the default for all users. Enterprise customers can request alternative regions subject to separate agreement.

How are backups handled?

Weekly encrypted backups stored in eu region.. 30-day retention period.

What about disaster recovery?

We maintain a comprehensive disaster recovery plan with regular testing. Backups are stored in multiple availability zones for redundancy.

Data Access & Privacy

Who can access my candidate data?

Only your authorized users and your client companies (for submitted candidates). Multi-tenant isolation ensures other agencies cannot see your data.

Can NextMatch staff access my data?

Only for technical support (with your permission) or legal compliance. All access is logged and audited.

Do you sell my data?

No. We never sell customer data or candidate information to third parties. Your data is yours.

What is multi-tenant isolation?

Each agency operates in a completely isolated environment. Agencies cannot access each other's candidate data or see other agencies' activities.

How do you protect candidate privacy?

Candidates can delete their profile anytime. Their CV is only visible to agencies they applied through. We comply with GDPR data subject rights.

What about sensitive personal data?

We don't extract sensitive data (health, race, religion) from CVs unless incidentally present. Customers must ensure compliance with employment laws.

AI & Data Processing

Is my data used to train AI models?

No. OpenAI does not store your CV data or use it to train models per our enterprise agreement. Processing happens in real-time with zero retention.

How does CV analysis work?

We send CV text to OpenAI's API to extract structured data (skills, experience, education). The data is processed immediately and not stored by OpenAI.

What AI features do you use?

CV parsing, semantic search, candidate-job matching, interview question generation, and CV optimization recommendations.

Can AI make biased decisions?

AI systems may contain bias. We don't warrant AI is bias-free. Customers must implement human oversight for hiring decisions and comply with anti-discrimination laws.

Are AI matching scores final decisions?

No. AI scores are recommendations only. Human recruiters make all final hiring decisions. You must validate AI outputs before acting.

What happens to interview transcripts?

Transcripts are created with consent and retained per your agency's policy. You can request deletion anytime.

Data Retention & Deletion

How long do you keep my data?

Indefinitely while your account is active. You control retention - delete documents anytime through account settings.

What happens to inactive accounts?

Accounts inactive for 6 months will be deleted. We notify you 30 days before deletion. Login to prevent deletion.

Can I delete my data immediately?

Yes. Request deletion at bg@floreal.ai. Removed from active systems within 2 business days. Backups deleted within 7 days.

What happens after I cancel my subscription?

90-day retrieval period to export your data. After 90 days, data is automatically deleted (or earlier on request).

How can I export my data?

Use built-in export functionality (JSON, CSV format) or request a database dump at bg@floreal.ai.

Do you keep any data after deletion?

Only if required by law (tax, accounting). Anonymized audit logs may be retained for compliance. All other data is permanently deleted.

Security Measures

What encryption do you use?

TLS 1.2+ for data in transit. AES-256 for data at rest. All database connections encrypted.

How do you prevent unauthorized access?

Role-based access control (RBAC), automatic session timeout, API authentication with secure tokens, and principle of least privilege.

What infrastructure security do you have?

AWS EU infrastructure, DDoS protection (AWS Shield).

Do you perform security testing?

Third-party penetration testing, automated vulnerability scanning, code reviews before deployment, protection against OWASP Top 10 : Q1 2026.

Are you SOC 2 certified?

Working toward SOC 2 Type II certification (target within 6 months). Also pursuing ISO 27001.

How do you train employees on security?

Regular security training, confidentiality agreements, background checks for staff with data access, incident response drills.

Data Breaches & Incidents

What if there's a data breach?

We notify you within 24 hours via email with details about what happened, what data was affected, and our response actions.

What information will you provide in a breach?

Nature of incident, types of data affected, number of people impacted, immediate actions taken, and contact for questions.

How do you respond to security incidents?

Immediate containment, thorough investigation, root cause remediation, rolling updates to customers, notification to authorities if required.

Do you have an incident response plan?

Yes. Comprehensive incident response procedures with 24-hour breach notification.

Will you notify supervisory authorities?

Yes, within 72 hours if required by GDPR. We'll also assist with your own notification obligations.

Legal Rights (GDPR & CCPA)

What are my GDPR rights?

Access, rectification, erasure ("right to be forgotten"), restriction, data portability, object to processing, withdraw consent.

What are my CCPA rights?

Right to know what data we collect, right to delete, right to opt-out of sale (we don't sell data), right to non-discrimination.

How do I exercise my rights?

Email bg@floreal.ai or use account settings. We respond within 30 days (GDPR)or 45 days (CCPA).

Can I get a copy of my data?

Yes (Right of Access). Request at bg@floreal.ai or export via account settings. Provided in JSON or CSV format within 30 days.

Can I transfer my data to another service?

Yes (Right to Data Portability). We provide data in machine-readable format (JSON, CSV) for transfer to another controller.

Can I object to processing?

Yes, you can object to processing based on legitimate interests. For direct marketing, we honor objections immediately.

How do I complain about data handling?

Contact us at bg@floreal.ai first. You can also file a complaint with your local data protection authority (CNIL in France, ICO in UK).

Subprocessors & Third Parties

Who are your subprocessors?

AWS (hosting), OpenAI (AI), Pinecone (search), Stripe (payments), Customer.io (email), Twilio (phone), BAAS (transcription), Gladia (audio).

Why do you use subprocessors?

To provide specialized services (cloud hosting, AI processing, payments) more efficiently than building in-house.

Are subprocessors GDPR compliant?

Yes. All subprocessors sign Data Processing Agreements (DPAs) with Standard Contractual Clauses for international transfers.

Can I object to a subprocessor?

Yes. We notify you 30 days before adding new subprocessors. You have 15 days to object on reasonable data protection grounds.

Where can I see the complete subprocessor list?

Visit /subprocessors

Compliance & Certifications

Are you GDPR compliant?

Yes. We comply with GDPR, including data subject rights, security requirements, breach notification, and international transfer safeguards.

Are you CCPA compliant?

Yes. We comply with CCPA as a Service Provider. We don't sell personal data and honor all California consumer rights.

Do you have an EU representative?

Yes. Benjamin Gabay, 30 rue René Boulanger, 75010 Paris, France. Email: bg@floreal.ai

What certifications do you have?

Working toward SOC 2 Type II and ISO 27001 (target within 6 months). Currently conducting annual penetration testing.

Can you provide audit reports?

Yes. Contact bg@floreal.ai for security documentation, compliance summaries, or to schedule an audit (once per year with 30 days notice).

What is your Data Protection Officer contact?

Benjamin Gabay, EU Representative. Email: bg@floreal.ai. Response time: 3-5 business days.

Platform Usage

What cookies do you use?

Essential cookies (authentication, security), analytics cookies (Google Analytics, Customer.io), and preference cookies (language, UI settings).

Can I opt out of cookies?

Yes, for non-essential cookies. Use browser settings or our cookie consent banner. Essential cookies required for service operation.

Do you track my activity?

We collect usage data (pages visited, features used, search queries) for analytics and platform improvement. IP addresses may be used by google analytics only on the non logged part.

What logs do you keep?

API access logs, error logs, security event logs, audit trails. CloudWatch logs retained 14 days. Audit trails retained for compliance (7 years).

How long do you cache search results?

Search results cached for 30 days, then automatically expired. No permanent storage of search queries.

Still Have Questions?

Contact our Data Protection Officer

Benjamin Gabay

EU Representative

bg@floreal.ai