Security, Compliance and Privacy

Trust Center

Security is built into how we operate. We hold the certifications we help our clients achieve, and we run our own SOC, backups and continuity on the same infrastructure we manage for you.

ISO 27001 ISO 27017 ISO 27701 SOC 2 Type II ExpertCyber
Verified

Certifications and attestations

ISO27001 - Information Security Management

ISO 27001

Information security management (ISMS)

Renewed May 2026, valid to May 2029

ISO27017

ISO 27017

Security controls for cloud services

Renewed May 2026, valid to May 2029

ISO27701 - Privacy Information Management

ISO 27701

Privacy information management (PIMS)

Renewed May 2026, valid to May 2029

SOC 2 Type 2

SOC 2 Type II

Service organization controls report

Report period March 2025 to February 2026

ExpertCyber

ExpertCyber

Recognized French cybersecurity provider

Renewed July 2026, valid to July 2028

Independent Validation

Penetration testing

Independent penetration tests on a regular cadence.

Continuous vulnerability scanning

Ongoing automated scanning across our assets, backed by Argos.

External surveillance audits

Annual ISO and SOC 2 audits by our accredited certification bodies.

Red Team exercises

Adversary-simulation exercises to test detection and response.

How we protect data

Security controls

Access control

SSO and MFA enforced across systems.

Threat monitoring

Managed SOC, monitored 24/7.

Data protection

Encryption and immutable backups.

Resilience

DRaaS and business continuity.

Secure development

EXEO Forge managed DevSecOps.

Vulnerability management

Argos threat intelligence.

Data residency

Customer production workloads and our SOC run in France. Backups are stored in the EU or the UAE according to client preference. Our website is hosted in Paris.

Production · France SOC · France Backups · Strasbourg / Frankfurt / Abu Dhabi Website · Paris
Under NDA where applicable

Documents, access on request

Request the documentation

Transparency

Subprocessors

Subprocessor Purpose Location Transfer safeguard
EXEO group entitiesSupport, operations, infrastructure managementFrance, Greece, Lebanon, UAEIntra-group agreement
SentientEnterprise management: ticketing, HR, recruitmentGCP Belgium (europe-west1)Stays in EU
Kaseya Datto RMMRemote monitoring and managementAWS Sydney, Australia (ap-southeast-2)SCCs (Kaseya DPA)
Kaseya IT GlueDocumentationUSAEU-US DPF
Acronis Backup CloudBackup and data protectionStrasbourg, Frankfurt or Abu Dhabi, per clientEU adequacy, or SCCs for Abu Dhabi
Google WorkspaceEmail and collaborationEuropean Union (Workspace data region)EU-US DPF
ZapierIntegration and automationUSAEU-US DPF
Twilio SendGridTransactional email notificationsUSA, EU residency optionDPF or SCCs, EU residency if enabled

Our SOC runs on a self-hosted Wazuh SIEM in our Paris datacenter, on our own infrastructure.

Website and business tools

Tool Purpose Location
WordPress and Elementor hostingexeo.net websiteParis, France
Copper CRMSales and CRM contact dataUSA (Google Cloud)
Google Analytics, Microsoft Clarity, Leadfeeder, OutfunnelWebsite visitor analyticsVarious, see privacy policy
Recognized and connected

Industry membership

RIPE NCC

RIPE NCC - fr.exeo

The Regional Internet Registry for Europe, the Middle East and parts of Central Asia. As a member, EXEO manages its own IP address space and autonomous system resources.

CCI FranceUAE

CCI France UAE

The French Business Council in the United Arab Emirates, connecting French and Emirati companies. Our membership supports our clients and presence across the Gulf.

CCI France Liban

CCI France Liban

The Franco-Lebanese Chamber of Commerce and Industry, linking French and Lebanese business. Membership reflects our long-standing operations in Lebanon.

ECA Member Logo

European Champions Alliance

A cross-border network of European business and technology leaders. Membership connects EXEO to peers and partners across the continent.

PCA Lebanon Logo

PCA

The Professional Computer Association of Lebanon, the country’s ICT industry body. Membership ties us into Lebanon’s technology sector.

RDCL logo

RDCL

The Lebanese Business Leaders Association (Rassemblement de Dirigeants et Chefs d’Entreprises Libanais), representing private-sector leadership in Lebanon.

Frequently Asked Questions

Customer production workloads and our SOC run in France, on a self-hosted Wazuh SIEM in our Paris datacenter. Backups are stored in the EU (Strasbourg or Frankfurt) or in the UAE (Abu Dhabi) according to your preference. A limited set of SaaS subprocessors operate outside the EU under the EU-US Data Privacy Framework or standard contractual clauses. The full list, with location and safeguard, is in the subprocessor register on this page.

Yes. EXEO holds ISO 27001, ISO 27017 and ISO 27701, SOC 2 Type II, and the ExpertCyber label. We run the same framework internally that we implement for our clients.

Yes. We act as a data processor under GDPR and sign a data processing agreement with every client. Our controls align with NIS 2, and our ISO 27701 certification covers our privacy information management system.

Request them through the documents section on this page. We share the SOC 2 Type II report, the ISO 27001, 27017 and 27701 certificates, the penetration test summary and a completed security questionnaire (SIG or CAIQ), under NDA where applicable.

Our subprocessors are listed in the register on this page, with their purpose, location and transfer safeguard. We keep the register current and notify clients of material changes in line with the data processing agreement, so you can review any new subprocessor.

Yes. We sign a data processing agreement with every client, covering roles, security measures, subprocessors, breach notification, and data return or deletion at the end of the contract.

We follow a defined incident response process. In the event of a personal data breach, we notify affected clients without undue delay, in line with GDPR and the terms of the data processing agreement, and we support your own notification obligations.

Access is controlled with SSO and MFA, data is encrypted in transit and at rest, and backups are immutable. Our managed SOC monitors systems 24/7, and vulnerabilities are tracked through our Argos threat intelligence service.

Contact our security team through the form on this page, or the address published in our security.txt at the domain root. We review every report and respond as quickly as possible.

Yes. As first-line assurance we provide our certifications, the SOC 2 Type II report and completed security questionnaires under NDA. Where these do not fully satisfy your requirements, our data processing agreement provides for a client audit on reasonable notice, no more than once a year except after an incident or a supervisory authority request, subject to confidentiality and our security policies.

Our managed SOC monitors for ransomware indicators around the clock and follows a defined incident response process to isolate and contain affected systems. Immutable backups and DRaaS let us restore clean data, and we support notification and recovery. The approach is built to prevent, detect and recover, not to pay.

Yes. For eligible services you can bring or manage your own encryption keys (BYOK/CMEK), keeping control of the key lifecycle and revocation while EXEO operates the environment. We confirm the exact model and the supported services during onboarding.

Report a vulnerability

Found a security issue? Contact our security team. We publish a security.txt at the domain root and a dedicated security contact address.

Get in touch

We respond within 1 hour on weekdays
Exeo Logo White Transparent

Paris. Beirut. Dubai.