GDPR — how aiKip protects your data
aiKip is built in compliance with the General Data Protection Regulation (GDPR, EU 2016/679). This page summarizes the technical and organizational measures in place.
Sovereign hosting
All data (PostgreSQL database, CVs, PDF invoices) is hosted at Scaleway in
the fr-par region (Paris, France). Scaleway is a French company not subject to the US CLOUD
Act.
Technical measures
- TLS 1.3 encrypted connections on all pages
- Passwords hashed with bcrypt (12 rounds, unique salt per user)
HttpOnly,SameSite=Lax,Securesession cookies in production- Global session invalidation available (
users.lastLogoutAtfield) - Rate limiting on sign-up, login, password reset and the application form
- Short-TTL pre-signed URLs (5 min) for CV downloads
- Strict multi-tenancy: every query filters by
companyId
Automatic anonymization
Applications inactive for more than 24 months are anonymized automatically every night:
- Deletion of name, email, phone, location, summary and CV (S3)
- Deletion of extracted skills, experience and education
- Only the anonymous statistical history (stage, dates) is kept
This anonymization runs via the gdpr-cleanup cron, with no manual action.
Your rights
In line with the GDPR, you have a right of access, rectification, erasure, portability, objection and withdrawal of consent. To exercise them:
- Candidate: use your tracking link received by email, or write to contact@aikip.fr
- Recruiter: from your space or by email to contact@aikip.fr
A reply is provided within 30 days maximum.
You can also, at any time, lodge a complaint with the CNIL (www.cnil.fr).
Accountability
As a processor acting on behalf of client companies, aiKip keeps the register of processing activities carried out on their behalf (art. 30.2 GDPR) and assists each client — the controller — with data protection impact assessments and security (arts. 32 to 36 GDPR). A data-processing agreement (art. 28 GDPR) is available on request at contact@aikip.fr.
Recruiter account deletion
Account deletion is done from the settings space and applies a 30-day grace period during which the operation can be canceled. On expiry, the company and all associated data (jobs, applications, CVs) are permanently erased.
Breach notification
In the event of a data breach likely to create a risk to individuals, aiKip undertakes to notify the CNIL within 72 hours and to inform the affected individuals without undue delay.
GDPR contact
For any question about the processing of your data: contact@aikip.fr or via the contact form.