Cervilo
Updated: February 2024

Privacy Policy & GDPR

Transparency and security at the heart of your salary data processing.

1. Preamble and Commitment

At Cervilo, protecting the personal data of our B2B clients and their employees is our absolute priority.

In accordance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and the French Data Protection Act, this Privacy Policy informs you technically and legally about how we process your data.

2. Data Collected

In the context of using the Cervilo platform (Pay Gap Audit, Index Calculation), we act primarily as a Data Processor. You (the client Company) remain the Data Controller.

Usage data (website): Last Name, First Name, Professional Email, Phone Number, Company, used for account creation and customer support.

HR data processed (SaaS): Data from your payroll files or DSN (age, gender, socio-professional category, classification, base salary, bonuses, hiring date, FTE).

Important note: The anonymization or pseudonymization of direct nominative data is strongly encouraged technically when importing onto our platform.

3. Purposes of Processing

Your data is never sold, rented, or used for cross-advertising purposes. The ingested HR data is strictly limited to the following purposes:

  • Calculation and official editing of the Professional Equality Index (France).
  • Compliance audit of pay gaps according to the criteria of the 2026 European Directive.
  • Predictive budget simulations (HR "Sandbox").
  • Technical support and maintenance of the SaaS platform.

4. Hosting and "Safety by Design"

The entire Server and Database infrastructure of Cervilo is physically hosted within the European Union (Paris, France or Frankfurt, Germany) via ISO 27001, HDS, and SOC 2 certified providers (e.g., AWS Europe, Scaleway, or OVHcloud).

All data in transit (TLS 1.2 minimum) and at rest (AES-256) is encrypted. A strict tenant isolation policy (multi-tenant architecture) formally prevents any cross-referencing of data between our clients.

5. Retention Period

Data relating to the legal and administrative follow-up of a B2B contract is kept for the duration of the commercial relationship, plus 5 years for evidentiary purposes.

Raw payroll data ("source files") imported into the tool to perform a calculation is automatically purged 30 days after the generation of the validated final audit. Only the results aggregates and the Index score are kept for history upon explicit request from the client.

6. Your Rights (and those of your employees)

Under applicable legislation (Art. 15 to 22 of the GDPR), you have the right of access, rectification, erasure ("right to be forgotten"), as well as the right to data portability and restriction of processing.

To exercise these rights, the Data Controller can directly contact our Data Protection Officer (DPO):privacy@cervilo.com

7. Sub-processors

Cervilo commits to selecting technology providers with absolute rigor. The list of our sub-processors (hosting, transactional email tool) is available to our clients upon request. Any major change requires a 30-day prior notification to the Client with the possibility of opposition.

Privacy Policy & GDPR | Cervilo