Security, Compliance and Privacy
Trust Center
Security is built into how we operate. We hold the certifications we help our clients achieve, and we run our own SOC, backups and continuity on the same infrastructure we manage for you.
Verified
Certifications and attestations
ISO 27001
Information security management (ISMS)
Renewed May 2026, valid to May 2029
ISO 27017
Security controls for cloud services
Renewed May 2026, valid to May 2029
ISO 27701
Privacy information management (PIMS)
Renewed May 2026, valid to May 2029
SOC 2 Type II
Service organization controls report
Report period March 2025 to February 2026
ExpertCyber
Recognized French cybersecurity provider
Renewed July 2026, valid to July 2028
Independent Validation
Penetration testing
Independent penetration tests on a regular cadence.
Continuous vulnerability scanning
Ongoing automated scanning across our assets, backed by Argos.
External surveillance audits
Annual ISO and SOC 2 audits by our accredited certification bodies.
Red Team exercises
Adversary-simulation exercises to test detection and response.
How we protect data
Security controls
Access control
SSO and MFA enforced across systems.
Threat monitoring
Managed SOC, monitored 24/7.
Data protection
Encryption and immutable backups.
Resilience
DRaaS and business continuity.
Secure development
EXEO Forge managed DevSecOps.
Vulnerability management
Argos threat intelligence.
Data residency
Customer production workloads and our SOC run in France. Backups are stored in the EU or the UAE according to client preference. Our website is hosted in Paris.
Public policies
- Privacy and cookie policy
- Information security and privacy policy
- Conflict minerals policy
- Data processing agreement, available on request
Under NDA where applicable
Documents, access on request
- SOC 2 Type II report
- ISO 27001, 27017 and 27701 certificates
- Penetration test summary
- Security questionnaire (SIG / CAIQ)
- Incident response policy
Request the documentation
Transparency
Subprocessors
| Subprocessor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| EXEO group entities | Support, operations, infrastructure management | France, Greece, Lebanon, UAE | Intra-group agreement |
| Sentient | Enterprise management: ticketing, HR, recruitment | GCP Belgium (europe-west1) | Stays in EU |
| Kaseya Datto RMM | Remote monitoring and management | AWS Sydney, Australia (ap-southeast-2) | SCCs (Kaseya DPA) |
| Kaseya IT Glue | Documentation | USA | EU-US DPF |
| Acronis Backup Cloud | Backup and data protection | Strasbourg, Frankfurt or Abu Dhabi, per client | EU adequacy, or SCCs for Abu Dhabi |
| Google Workspace | Email and collaboration | European Union (Workspace data region) | EU-US DPF |
| Zapier | Integration and automation | USA | EU-US DPF |
| Twilio SendGrid | Transactional email notifications | USA, EU residency option | DPF or SCCs, EU residency if enabled |
Our SOC runs on a self-hosted Wazuh SIEM in our Paris datacenter, on our own infrastructure.
Website and business tools
| Tool | Purpose | Location |
|---|---|---|
| WordPress and Elementor hosting | exeo.net website | Paris, France |
| Copper CRM | Sales and CRM contact data | USA (Google Cloud) |
| Google Analytics, Microsoft Clarity, Leadfeeder, Outfunnel | Website visitor analytics | Various, see privacy policy |
Recognized and connected
Industry membership
RIPE NCC - fr.exeo
The Regional Internet Registry for Europe, the Middle East and parts of Central Asia. As a member, EXEO manages its own IP address space and autonomous system resources.
CCI France UAE
The French Business Council in the United Arab Emirates, connecting French and Emirati companies. Our membership supports our clients and presence across the Gulf.
CCI France Liban
The Franco-Lebanese Chamber of Commerce and Industry, linking French and Lebanese business. Membership reflects our long-standing operations in Lebanon.
European Champions Alliance
A cross-border network of European business and technology leaders. Membership connects EXEO to peers and partners across the continent.
PCA
The Professional Computer Association of Lebanon, the country’s ICT industry body. Membership ties us into Lebanon’s technology sector.
RDCL
The Lebanese Business Leaders Association (Rassemblement de Dirigeants et Chefs d’Entreprises Libanais), representing private-sector leadership in Lebanon.
Frequently Asked Questions
Where is our data hosted, and can you keep it in the EU?
Customer production workloads and our SOC run in France, on a self-hosted Wazuh SIEM in our Paris datacenter. Backups are stored in the EU (Strasbourg or Frankfurt) or in the UAE (Abu Dhabi) according to your preference. A limited set of SaaS subprocessors operate outside the EU under the EU-US Data Privacy Framework or standard contractual clauses. The full list, with location and safeguard, is in the subprocessor register on this page.
Is EXEO itself certified, and to what?
Yes. EXEO holds ISO 27001, ISO 27017 and ISO 27701, SOC 2 Type II, and the ExpertCyber label. We run the same framework internally that we implement for our clients.
Do you comply with GDPR and NIS 2?
Yes. We act as a data processor under GDPR and sign a data processing agreement with every client. Our controls align with NIS 2, and our ISO 27701 certification covers our privacy information management system.
How do I get your SOC 2 report and certificates?
Request them through the documents section on this page. We share the SOC 2 Type II report, the ISO 27001, 27017 and 27701 certificates, the penetration test summary and a completed security questionnaire (SIG or CAIQ), under NDA where applicable.
Who are your subprocessors, and how are we notified of changes?
Our subprocessors are listed in the register on this page, with their purpose, location and transfer safeguard. We keep the register current and notify clients of material changes in line with the data processing agreement, so you can review any new subprocessor.
Do you sign a data processing agreement?
Yes. We sign a data processing agreement with every client, covering roles, security measures, subprocessors, breach notification, and data return or deletion at the end of the contract.
How do you handle a data breach?
We follow a defined incident response process. In the event of a personal data breach, we notify affected clients without undue delay, in line with GDPR and the terms of the data processing agreement, and we support your own notification obligations.
How is our data protected?
Access is controlled with SSO and MFA, data is encrypted in transit and at rest, and backups are immutable. Our managed SOC monitors systems 24/7, and vulnerabilities are tracked through our Argos threat intelligence service.
How do I report a security vulnerability?
Contact our security team through the form on this page, or the address published in our security.txt at the domain root. We review every report and respond as quickly as possible.
Can I audit EXEO?
Yes. As first-line assurance we provide our certifications, the SOC 2 Type II report and completed security questionnaires under NDA. Where these do not fully satisfy your requirements, our data processing agreement provides for a client audit on reasonable notice, no more than once a year except after an incident or a supervisory authority request, subject to confidentiality and our security policies.
How do you handle ransomware?
Our managed SOC monitors for ransomware indicators around the clock and follows a defined incident response process to isolate and contain affected systems. Immutable backups and DRaaS let us restore clean data, and we support notification and recovery. The approach is built to prevent, detect and recover, not to pay.
Do you support customer-managed encryption keys?
Yes. For eligible services you can bring or manage your own encryption keys (BYOK/CMEK), keeping control of the key lifecycle and revocation while EXEO operates the environment. We confirm the exact model and the supported services during onboarding.
Report a vulnerability
Found a security issue? Contact our security team. We publish a security.txt at the domain root and a dedicated security contact address.

