Security and data protection

Hosting in France

All your data is hosted in the Azure France Central (Paris) region by Microsoft Azure. This choice ensures that your information remains physically located on French territory, in data centres operated by Microsoft under European jurisdiction. The France Central region facilities benefit from redundant power supplies, precision cooling and fire suppression systems that comply with the strictest industry standards. The data centres are certified ISO 27001 for information security management, ISO 27018 for the protection of personal data in the cloud, and SOC 2 Type II for security, availability and confidentiality controls independently audited. These certifications attest that the infrastructure underpinning Avocachet undergoes regular audits by accredited third-party organisations, covering physical security, access management, business continuity and intrusion protection.

No data is transferred outside the European Union. Documents, metadata and account information remain on French soil throughout their lifecycle, in compliance with the digital sovereignty requirements reinforced by the French government’s Cloud de confiance doctrine. This data localisation policy also applies to backups and high-availability replicas, which are stored exclusively in Azure regions located in France. We do not use any technical subcontractor whose servers are located outside the European Economic Area. This exclusively French hosting choice addresses the concerns expressed by the Conseil national des barreaux regarding the storage of data covered by professional secrecy. It guarantees that the judicial authorities of a third country cannot compel access to your documents under extraterritorial legislation such as the US Cloud Act.

Data encryption

All communications between your browser and our servers are encrypted using the TLS 1.3 protocol, with TLS 1.2 backward compatibility for older clients. This protocol provides end-to-end encryption of every HTTP request, preventing any interception or modification of data in transit. Our TLS certificates are issued by a recognised certificate authority and renewed automatically before expiry to ensure continuous protection without service interruption. Documents stored in Azure Blob Storage are encrypted at rest using the AES-256 algorithm, considered the global standard for symmetric encryption. This standard is used by governments and financial institutions to protect classified information. Encryption keys are managed by Azure Key Vault, a hardware security module certified FIPS 140-2 Level 2, ensuring that keys are never exposed in plain text.

User passwords are hashed using the bcrypt algorithm, which incorporates an adaptive cost factor that makes brute-force attacks impractical even with considerable computing resources. No password is ever stored in plain text or as a reversible hash. Authentication tokens are signed with the HMAC-SHA256 algorithm via the JWT (JSON Web Token) standard, and signing keys undergo regular planned rotation. Each session is time-limited and automatically invalidated after a configurable period of inactivity. In the event of suspicious login attempts, the system applies a progressive lockout mechanism that slows down consecutive tries. These measures collectively ensure that access to your account remains protected against the most common attack vectors identified by the OWASP, including credential stuffing and session hijacking.

GDPR compliance

Avocachet is fully compliant with the General Data Protection Regulation (GDPR, EU Regulation 2016/679). In accordance with the data minimisation principle set out in Article 5(1)(c), we only collect data strictly necessary to operate the service: email address, name, uploaded documents and billing data. No superfluous data is collected, and we do not engage in any profiling or automated decision-making within the meaning of Article 22 of the GDPR. Personal data processing is based on clearly identified legal bases in accordance with Article 6 of the GDPR. The primary processing relies on the performance of the contract for the provision of the document management service. Explicit consent is obtained for analytics cookies via our consent banner compliant with the ePrivacy Directive. Billing data is retained on the basis of legal obligation imposed by French commercial law.

In accordance with Articles 15 to 21 of the GDPR, you have the right to access your personal data, the right to rectify inaccurate information, the right to erasure (right to be forgotten), the right to restrict processing, the right to object and the right to data portability in a structured, machine-readable format. These rights can be exercised at any time by contacting our Data Protection Officer by email, without any particular formality. We commit to responding to any request within 30 days in accordance with Article 12(3) of the GDPR. If you believe that the processing of your data constitutes a violation of your rights, you may file a complaint with the CNIL, the competent French supervisory authority for personal data protection.

In the event of a personal data breach, Avocachet commits to notifying the competent supervisory authority (the CNIL) within 72 hours in accordance with Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, you will be personally informed without undue delay in accordance with Article 34. We maintain a record of processing activities compliant with Article 30, documenting all operations performed on personal data, the categories of data concerned and the security measures implemented. Our internal incident management procedure includes a systematic impact analysis, identification of affected individuals and the implementation of immediate corrective measures to limit the consequences of any detected breach. Incident simulation exercises are conducted regularly to validate the effectiveness of these response procedures.

Data Processing Agreement (DPA)

A Data Processing Agreement compliant with Article 28 of the GDPR is available upon request. This contractual document details Avocachet’s commitments as a processor of your personal data, including processing instructions, technical and organisational security measures, conditions for engaging sub-processors and arrangements for assisting with the exercise of data subject rights. The DPA covers all processing operations carried out by Avocachet on behalf of its clients: document storage, user account management, email notification dispatch and billing data processing. It includes the European Commission’s standard contractual clauses and guarantees an audit right enabling the data controller to verify compliance with the commitments made. For law firms subject to specific professional secrecy obligations, additional enhanced confidentiality clauses can be incorporated into the DPA upon request.

Data deletion

You can delete your account and all associated data at any time from your account settings. Deletion is permanent and irreversible. Upon confirmation, an automated process triggers the erasure of all your personal data, uploaded documents and associated metadata. This process complies with the right to erasure provided for in Article 17 of the GDPR. The deletion procedure is logged and subject to internal verification ensuring complete erasure across all storage systems, including caches and search indexes.

After deletion, your documents and personal information are erased from our servers, including backups, within a maximum of 30 days. Billing data is retained in accordance with the statutory accounting obligations set out in Article L123-22 of the French Commercial Code, for a period of 10 years.

Access control

Access to production data is restricted to authorised developers only, via secure connections authenticated with multi-factor authentication (MFA). Every access is logged with a timestamp, operator identifier and the nature of the operation performed. These access logs are retained for 12 months and undergo quarterly internal audits to detect any abnormal or unauthorised activity. At the application level, Avocachet implements a role-based access control (RBAC) model. Each team member is assigned a role that precisely determines the actions permitted on documents and team settings. Shared document portals are protected by unique, non-guessable links, and access can be revoked at any time by the administrator. No data from one team is accessible to members of another team, ensuring strict information compartmentalisation.

Contact

For any questions about security, data protection or the exercise of your data rights, you can contact our Data Protection Officer by email. We commit to acknowledging receipt of your request within 48 hours and providing a complete response within 30 days in accordance with the GDPR. If you identify a security vulnerability or suspicious behaviour on the platform, we also invite you to report it via the same address. Every report is analysed by our technical team within 24 hours of receipt. Transparency and responsiveness are pillars of our commitment to the legal professionals who use Avocachet to manage their sensitive documents. We also publish regular updates on our security policy to keep you informed of any significant changes:

• Data Protection Officer: Antony Canut
• contact@mirehub.fr