Retour à l'accueil
GDPR Compliance

Privacy Policy

Data protection & GDPR compliance

Moriah is committed to safeguarding your privacy and, more broadly, to protecting your personal data. Any data collected and processed in the context of our services is handled in accordance with the terms outlined in our contractual agreements.

In this respect, Moriah complies with both EU and French data protection laws, primarily the EU Regulation 2016/679 (“GDPR”) and French Law No. 78-17 (“Informatique et Libertés”).

From inception, we have implemented protective measures in accordance with the Privacy by Design principle outlined in Article 25 of the GDPR. In particular, Moriah has:

  • Documented its data processing activities through internal registers (Article 30, GDPR),
  • Ensured data minimization—only processing what is strictly necessary (Article 5, GDPR),
  • Informed data subjects transparently, as required under Articles 12 and following of the GDPR,
  • Implemented processes to handle data subject requests (Articles 15 and following of the GDPR),
  • Adopted appropriate technical and organizational measures for data protection (Article 32, GDPR).

Data privacy compliance is a top priority for all members of Moriah, especially for Alexis and Raphaël.

Concrete Measures Implemented

1) Internal Procedures

1.1. Record of Processing Activities

As required under Article 30 of the GDPR, Moriah has maintained a register of processing activities since January 2023 (starting with the issuance of the company's first payslip).

1.2. Data Security

In line with Article 32 of the GDPR and CNIL recommendations, we have implemented the following safeguards:

  • User authentication (Sheet 2)
  • Access rights and permissions management (Sheet 3)
  • Access logging and incident handling (Sheet 4)
  • Data backup and business continuity planning (Sheet 10)
  • Secure archiving (Sheet 11)
  • Maintenance and data disposal protocols (Sheet 12)
  • Secure development practices (Sheet 16)
  • Data encryption, integrity, and digital signatures (Sheet 17)

Each of these actions has been implemented both technically and through team training.

2) Vendor Compliance (Article 28, GDPR)

As per Article 28 of the GDPR, we ensure that all our vendors comply with data protection regulations. We have distinct and formal contracts with each one:

  • OVH (Cloud Services) — contract signed December 2022
  • 8Base (Backend Services) — contract signed December 2022
  • WhatsApp (Messaging Services) — contract signed December 2022

3) Data Processing Agreements with Clients

When required or requested, we sign Data Processing Agreements (DPAs) with our clients, based on either their standard template or ours.

4) Transparency with Data Subjects

We transparently inform individuals whose data is processed, in compliance with Articles 12 and following of the GDPR.

4.1. Data Collected

We collect data from the following sources:

  • CRM systems
  • Product usage data (e.g., via Amplitude, Mixpanel)
  • Marketing platforms
  • Customer support tickets
  • Billing information
  • NPS (Net Promoter Score)

For a complete breakdown, refer to the document titled Data List, which reflects the joint audit we've conducted.

4.2. Purpose of Processing

Data is retained for the duration of the commercial relationship and for three years thereafter.

Individuals have the right to exercise their GDPR rights (Articles 15 and beyond), including access, rectification, erasure, objection, restriction, data portability, and the right to define post-mortem data handling instructions.