Back to Home
Legal

GDPR Compliance Statement

Last updated: 26 April 2026

Our Commitment

Cortex AI (CFO Digital Europe SARLS) is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). As a Luxembourg-registered entity, we are subject to both GDPR and the Luxembourg Data Protection Act of 1 August 2018. Data protection is not a checkbox for us — it is a core part of how we build and deliver AI solutions.

1. Data Protection by Design and Default

All AI systems we build for clients are designed with data minimisation, purpose limitation, and privacy by default as core principles. We conduct Data Protection Impact Assessments (DPIAs) for any AI project that involves high-risk processing of personal data, as required by GDPR Article 35.

2. EU Data Residency

We exclusively use EU-hosted infrastructure for all client data processing:

  • OVHcloud (France/Germany) — primary cloud infrastructure
  • Scaleway (France) — AI model hosting and inference
  • Mistral AI (France) — EU-native LLM provider

No client data is transferred to US-based cloud providers (AWS, Azure, GCP) without explicit written consent and appropriate safeguards.

3. Data Processing Agreements

We sign Data Processing Agreements (DPAs) with all clients where we process personal data on their behalf, as required by GDPR Article 28. Our standard DPA is available on request. We also maintain DPAs with all our sub-processors.

4. AI-Specific GDPR Considerations

  • Automated decision-making: Where AI systems make or significantly influence decisions about individuals, we ensure appropriate human oversight and provide mechanisms for individuals to contest decisions (GDPR Art. 22).
  • Training data: We advise clients to use only lawfully obtained, appropriately licensed data for AI model training. We do not use client data to train shared models.
  • Explainability: We build AI systems with explainability features so clients can respond to data subjects' requests for information about automated processing.
  • Retention: AI models and associated data are deleted or anonymised at the end of the contract period unless otherwise agreed.

5. Security Measures

We implement appropriate technical and organisational measures including:

  • Encryption at rest and in transit (TLS 1.3, AES-256)
  • Access controls and least-privilege principles
  • Regular security reviews and penetration testing
  • Incident response procedures with 72-hour breach notification capability
  • Staff training on data protection obligations

6. Supervisory Authority

Our lead supervisory authority is the Commission Nationale pour la Protection des Données (CNPD), Luxembourg.

Website: cnpd.public.lu

7. Contact

For GDPR-related inquiries, to request a DPA, or to exercise your data subject rights: [email protected]