Trust & data protection
Built so your DPO can say yes — fast.
C’noté handles a school's parent communication, so we built it the way a data-protection officer would want: in Europe, grounded in what the school actually wrote, and documented before your pilot begins.
The four promises
What we guarantee, in writing.
In Europe, end to end.
Hosting in France, AI inference in Paris. Your school's data and our processing stay in the EU. Honest caveat, stated plainly: some of our inference provider's operational metadata — billing, monitoring — may transit non-EU vendors under EU Standard Contractual Clauses. The inference itself stays in Paris. We say "inference runs in Europe," never "exclusively in Europe."
Never trained on your data.
No school, parent, or student data is ever used to train an AI model — contractually guaranteed. The only AI-side retention is a short abuse-monitoring window at our inference provider.
It can't make things up.
C’noté only restates what the school actually wrote, links each point to its source, and refuses to guess. Every parent-facing message is logged and auditable.
You're the controller; we're the processor.
You keep ownership, audit rights, and the right to request deletion of any data. Parents self-serve opt-out and language — zero tickets for your office; deletion is a request we honour within 30 days.
Compliance at a glance
Everything your DPO will check for.
GDPR (EU 2016/679) + Swiss nDSG (FADP 2023) · EU hosting (France) · EU inference (Paris) · DPA signed before your pilot · sub-processor list published · breach notification within 72h · data deleted or returned within 30 days of offboarding · full audit log.
| Sub-processor | Role | Region |
|---|---|---|
| OVH SAS (OVH Groupe SA) | Hosting & infrastructure — VPS, database, inbound mail, attachments | Gravelines (GRA), France · EU |
| Mistral AI SAS (La Plateforme) | AI inference — all processing tiers | Paris, France · EU |
| WhatsApp Ireland Ltd (Meta) — Business Platform / Cloud API | Message delivery to parents | Ireland · EEA † |
| GoatCounter (Martin Tournoij — open source) | Cookieless analytics, consent-gated | Ireland · EU |
| Infomaniak Network SA | Outbound / transactional email & DNS | Geneva, Switzerland |
† WhatsApp Ireland Limited is the EEA controller; some message-delivery processing takes place at Meta Platforms, Inc. and WhatsApp LLC in the United States under the EU–US Data Privacy Framework and Standard Contractual Clauses, with EU data localisation enabled where available.
How data moves
Plainly, end to end.
Your school forwards parent emails to a private @cestnote.ch address — no account, no sign-in, no access to your inbox. We read and summarise them in the EU, and deliver each parent's note over WhatsApp, sharing only what concerns their own child. Source emails never leave our European servers.
What you can ask for
Before the demo ends.
The full security pack, the data-flow diagram, the current sub-processor list, and the data-processing agreement — all available before the demo ends.