Trust & data protection

Built so your DPO can say yes — fast.

C’noté handles a school's parent communication, so we built it the way a data-protection officer would want: in Europe, grounded in what the school actually wrote, and documented before your pilot begins.

Request the trust pack Book a demo

The four promises

What we guarantee, in writing.

EU

In Europe, end to end.

Hosting in France, AI inference in Paris. Your school's data and our processing stay in the EU. Honest caveat, stated plainly: some of our inference provider's operational metadata — billing, monitoring — may transit non-EU vendors under EU Standard Contractual Clauses. The inference itself stays in Paris. We say "inference runs in Europe," never "exclusively in Europe."

Never trained on your data.

No school, parent, or student data is ever used to train an AI model — contractually guaranteed. The only AI-side retention is a short abuse-monitoring window at our inference provider.

It can't make things up.

C’noté only restates what the school actually wrote, links each point to its source, and refuses to guess. Every parent-facing message is logged and auditable.

You're the controller; we're the processor.

You keep ownership, audit rights, and the right to request deletion of any data. Parents self-serve opt-out and language — zero tickets for your office; deletion is a request we honour within 30 days.

Compliance at a glance

Everything your DPO will check for.

GDPR (EU 2016/679) + Swiss nDSG (FADP 2023) · EU hosting (France) · EU inference (Paris) · DPA signed before your pilot · sub-processor list published · breach notification within 72h · data deleted or returned within 30 days of offboarding · full audit log.

Sub-processor Role Region
OVH SAS (OVH Groupe SA) Hosting & infrastructure — VPS, database, inbound mail, attachments Gravelines (GRA), France · EU
Mistral AI SAS (La Plateforme) AI inference — all processing tiers Paris, France · EU
WhatsApp Ireland Ltd (Meta) — Business Platform / Cloud API Message delivery to parents Ireland · EEA
GoatCounter (Martin Tournoij — open source) Cookieless analytics, consent-gated Ireland · EU
Infomaniak Network SA Outbound / transactional email & DNS Geneva, Switzerland

† WhatsApp Ireland Limited is the EEA controller; some message-delivery processing takes place at Meta Platforms, Inc. and WhatsApp LLC in the United States under the EU–US Data Privacy Framework and Standard Contractual Clauses, with EU data localisation enabled where available.

How data moves

Plainly, end to end.

Your school forwards parent emails to a private @cestnote.ch address — no account, no sign-in, no access to your inbox. We read and summarise them in the EU, and deliver each parent's note over WhatsApp, sharing only what concerns their own child. Source emails never leave our European servers.

What you can ask for

Before the demo ends.

The full security pack, the data-flow diagram, the current sub-processor list, and the data-processing agreement — all available before the demo ends.

Begin

Bring it to your DPO.

We'll send the security pack, the data-flow diagram, and the data-processing agreement — and answer your data-protection officer's questions in writing.

Request the trust pack