Legal information
Trust & Security
Effective date: 14 June 2026 — v1.1
This document is legally binding in French only, as required by French law. This English translation is provided for information purposes. For questions, contact security@jefacturebien.fr.
Our commitment
The security and confidentiality of the data entrusted to us are at the heart of jefacturebien.fr's design. Our platform processes tax documents: compliant electronic quotes and invoices. This data requires a rigorous, documented and enforceable level of protection.
Our approach rests on four structuring principles:
- Security by design: security is built into every feature from the design stage, not added afterwards.
- Defense in depth: several independent layers of controls protect each resource. No single mechanism is a point of failure.
- Least privilege: each component and each user only has the access strictly necessary for its function.
- Zero trust: no request is implicitly trusted. Every access is authenticated, authorized and logged.
This document describes our concrete commitments regarding hosting, encryption, access control, integrity, continuity and compliance. It is intended to inform our clients (freelancers, small businesses) and their advisors (accountant, data protection officer).
Hosting and data sovereignty
The entire platform and all processed data are hosted within the European Union.
| Item | Detail |
|---|---|
| Infrastructure provider | Scaleway |
| Location | fr-par datacenter (Paris, France) |
| Legal zone | European Union |
| Transfers outside the EU | None |
jefacturebien.fr carries out no transfer of personal or tax data outside the European Union. Data is stored, processed and backed up exclusively on infrastructure located in France. This sovereignty guarantees the applicability of European law (GDPR) and the absence of exposure to extraterritorial data-access regimes.
Encryption
Data is permanently encrypted, both at rest and in transit.
Encryption at rest
- Columns containing sensitive data (bank details, confidential personal data) are encrypted with AES-256 via the application encryption mechanism.
- Database backups are encrypted.
- Archived documents are stored on encrypted object storage.
Encryption in transit
- All communications with the platform are protected by TLS 1.3.
- No data is exchanged in clear text over the network.
Secrets management
- Configuration secrets (encryption keys, third-party service access) are encrypted and are never exposed on the client side or logged.
Access control and authentication
Multi-tenant isolation
The platform isolates data per account at several levels: an isolation perimeter applied to each request on the application side, combined with Row Level Security (PostgreSQL) in FORCE mode on sensitive tables (invoicing, tax entries). This defense in depth prevents one client from accessing another's data, with application-level and database-level isolation reinforcing each other.
Authentication
| Mechanism | Implementation |
|---|---|
| TOTP MFA | Mandatory for administrator accounts |
| Sessions | HttpOnly cookies, CSRF protection |
| Rate limiting | Rate limiting per IP, per user and per endpoint |
Two-factor authentication (TOTP) is enforced for any account with administration privileges.
Integrity and immutability
jefacturebien.fr guarantees the integrity and immutability of tax documents through a chain of reinforced technical controls.
ISCA integrity chain
- Each tax entry is recorded in an immutable ledger chained by SHA-256 hash (Integrity, Security, Conservation, Archiving).
- Anti-mutation PostgreSQL triggers prevent, at the database engine level, any modification or deletion of an entry already recorded.
- The integrity of the chain is verifiable at any time; any break is detected.
jefacturebien.fr is self-certified on the basis of an internal tax compliance attestation. The platform is not NF525-certified.
Timestamping and anchoring
- Closings are anchored via OpenTimestamps on the Bitcoin blockchain (best-effort, a free and public additional layer). An anchoring failure never affects the integrity guaranteed by the internal chain.
Reliable Audit Trail (PAF)
- The platform materializes a Reliable Audit Trail in accordance with Article 289 of the French General Tax Code, ensuring documented traceability of the flow between the transaction and the invoice.
Probative-value archiving
| Feature | Value |
|---|---|
| Technology | Object storage in Object Lock COMPLIANCE mode |
| Retention period | 11 years |
| Mode | Read-only, immutable |
Invoices are kept 11 years in immutable read-only mode: once written, they cannot be modified or deleted, including by an administrator, throughout the legal retention period.
Backups and continuity
| Item | Detail |
|---|---|
| Database | Daily and hourly encrypted backups |
| Retention | 30 days |
| Monitoring | Automatic backup freshness alert |
Backups are encrypted and kept for 30 days, with an hourly frequency to minimize potential data loss (RPO). An automatic freshness alert mechanism immediately notifies our teams in the event of a backup failure, ensuring rapid detection of any anomaly.
The platform relies on Scaleway's managed infrastructure, supplemented by continuous monitoring (monitoring and alerting via Sentry, hosted in the European Union).
Application and supply-chain security
The security of our software chain is continuously monitored, on every code change.
| Control | Tool / Mechanism |
|---|---|
| Dependency audit | Dependabot, composer audit, npm audit |
| Static analysis (SAST) | CodeQL |
| Vulnerabilities & secrets | Trivy (dependency CVEs, secret detection) |
| Software inventory | SBOM in CycloneDX format |
| License compliance | Automated license check |
| Integration pipeline | Blocking CI on any HIGH or CRITICAL vulnerability |
No production release is possible if a HIGH or CRITICAL severity vulnerability is detected: our continuous integration automatically blocks deployment. Software inventories (SBOM) are continuously generated to ensure the traceability of every third-party component.
Compliance and certifications
Current compliance
| Framework | Status |
|---|---|
| GDPR (EU Regulation 2016/679) | Compliant — DPA (Article 28) available on request |
| Factur-X / EN 16931 | Compliant electronic invoice format |
| EU hosting | 100% European Union, no transfer outside the EU |
A Data Processing Agreement (DPA) compliant with Article 28 of the GDPR, governing our role as processor and the list of our sub-processors, is available to our clients.
Planned certifications
For the sake of transparency, we clearly distinguish our achieved compliance from our ongoing efforts. The items below are planned and have not yet been obtained:
| Initiative | Target date |
|---|---|
| External penetration test (pentest) | Q3 2026 |
| ISO 27001 gap assessment | Q3 2026 |
| ISO 27001 certification | In preparation |
| SOC 2 Type II | 2027 |
We claim no ISO 27001 or SOC 2 certification to date. These initiatives are underway and their progress will be communicated.
Incident management and reporting
Incident response plan
Our security incident management process follows a structured cycle:
Detection → Containment → Eradication → Recovery → Post-mortem
Each incident is subject to a post-mortem analysis intended to durably strengthen our controls.
Data breach notification
| Commitment | Deadline |
|---|---|
| Notification to the Client | Within 24 hours of qualification |
| Notification to the CNIL (by the Client as data controller) | Within 72 hours (GDPR, Article 33) |
In the event of a personal data breach, we undertake to notify the affected Client within 24 hours, so as to enable them to fulfill, where applicable, their obligation to notify the CNIL within 72 hours provided for in Article 33 of the GDPR.
Vulnerability reporting (responsible disclosure)
We welcome security reports made responsibly. If you identify a potential flaw, contact us at security@jefacturebien.fr. We undertake to acknowledge receipt, investigate and fix confirmed vulnerabilities as quickly as possible. Please do not publicly disclose a vulnerability before it has been fixed.
Your rights and contacts
| Subject | Contact |
|---|---|
| Security, vulnerability reporting | security@jefacturebien.fr |
| Data Processing Agreement (DPA) | dpa@jefacturebien.fr |
| Personal data protection (DPO) | dpo@jefacturebien.fr |
For any question relating to our security commitments, the platform's compliance, or to obtain our documentation (DPA, SBOM, security sheet), our teams are at your disposal at the addresses above.
Trust & Security — QR Communication SAS — jefacturebien.fr
QR Communication SAS — 23 rue de Richelieu, 75001 Paris, France Security contact: security@jefacturebien.fr — Website: https://jefacturebien.fr