← Journal
FR EN NL
Trust · Technical · May 02, 2026 · 7 min read

GDPR by design: our stack in 5 decisions

"We're GDPR compliant." That's what all our competitors say. Here are the 5 questions that make the difference.

"We're GDPR compliant."

That's the line you hear in 100% of AI vendor demos. The real subject isn't the phrase: it's the operational proof behind hosting, subprocessors, access and reversibility.

The problem is that "GDPR compliant" has no precise legal definition. It's a statement. Not a commitment. Not an audit. Not a contract.

Here are the five questions we ask every customer who evaluates us — and that we encourage you to ask any AI vendor. Alongside, our own answers.

Question 1 — Where is the data stored?

The wrong answer. "On AWS." (Implied: we're not really sure in which region, and that's a problem.)

Our answer. Hosting options are framed at contract signing, with a preference for European infrastructures like OVHcloud and Scaleway when the customer's scope allows. Subprocessors, processing locations and retention periods are documented in the DPA.

Why it matters: the vendor's country of jurisdiction, its subsidiaries, transfers and subprocessors can change the actual risk level. Geographically European hosting isn't enough: you need a contractual and technical map.

Question 2 — Which model processes my prompts?

The wrong answer. "We use GPT-4." (Implied: your data goes to OpenAI, is potentially logged for 30 days, and you have no control over it.)

Our answer. Hugo, Lea and Maya rely on a combination of self-hosted models (Mistral Large 2, Llama 3.3 70B) deployed on Scaleway infrastructure, and third-party models via sovereign APIs (Mistral La Plateforme, hosted in France) for tasks that warrant it.

By default, we favor models and processing aligned with the framework agreed with the customer. Any routing through a third-party model has to be documented in the DPA, and each customer can request a more restrictive mode if their risk level demands it.

Question 3 — How long do you keep my data?

The wrong answer. "For the duration of our contractual relationship." (Implied: indefinitely, in backups, or to train our models.)

Our answer. Three retention tiers, customer-configurable:

  • Operational data (CVs, call transcripts, audits): retained only as long as strictly necessary for the service, deleted on a configurable trigger (30, 90, 180, 365 days).
  • Technical logs (who did what, when): 13 months maximum, in line with CNIL recommendations for security traceability.
  • Training data: use of customer data for training is excluded by default and framed in the DPA. If a specific case were requested, it would be subject to a separate, documented and auditable agreement.

At end of contract: full purge within 30 days, destruction certificate provided.

Question 4 — Who has access to my data on your side?

The wrong answer. "Our support team." (Implied: everyone, when needed, with no traceability.)

Our answer. Three defined roles:

  • L1 support: sees only metadata (volumes, job status, anonymized errors). No access to business data.
  • L2 support: can access business data only after a privilege elevation signed by the customer, logged, and time-limited (4h max, tied to a ticket).
  • Engineering: no production access, except for major incidents, with the agreement of the customer's DPO and ours.

All accesses are logged on an immutable register (append-only, signed), viewable by the customer at any time via the dashboard.

Question 5 — Am I transparent about subprocessors?

The wrong answer. "We have compliant subprocessors." (Implied: we're not really sure which ones, and the list changes without notifying you.)

Our answer. Our public list of sub-subprocessors is permanently available at belogic.ai/dpa/subprocessors. Any change triggers a 30-day email notification to all customer DPOs before going live, with right of objection.

To date, we work with: OVHcloud (hosting), Scaleway (hosting + GPU), Mistral AI (models), Stripe (payments, segregated data), self-hosted Sentry (monitoring, on our infra). That's it.

Why we publish these answers

Because GDPR compliance shouldn't be a sales argument. It should be an industry standard. Until it is, transparency remains a differentiator.

And because our customers are, in large majority, industrial companies, consultancies and mid-market firms who would be wrong to sign with an AI vendor whose infrastructure is invisible.

If your current vendor can't answer the five questions above clearly, you know what to do.

And if you want to ask them to BeLogic — by email, on a video call, or in an RFP — our DPO replies within 48 hours. It's dpo@belogic.ai.