Your identity provider, under European jurisdiction.
Obexal is designed in the European Union and hosted in France, with no dependency outside the EU in the request path. One legal regime, one place your data lives, and controls built to support your compliance work.
The problem with a US-anchored identity layer
Your directory holds every employee, every access, every audit trail. Where it lives, and which law governs it, is not a detail.
Cloud Act reach
US law can compel a US provider to hand over data it controls, wherever that data physically sits. An EU data center owned by a US parent does not remove that exposure.
Extraterritoriality
When your identity provider answers to a foreign jurisdiction, access decisions about your workforce can be shaped by rules you never agreed to.
Schrems II
Transfers of personal data to the US carry legal uncertainty. Keeping the data and the operator inside the EU removes the transfer from the equation.
Split accountability
Multiple providers across regions and legal regimes make a coherent answer to your DPO harder to give. One EU operator is one clear line of accountability.
What sovereign means here, concretely
Hosted in France, no dependency outside the EU
Sovereignty is not a slogan on this page. It is a set of choices you can inspect: where the software runs, what it calls out to, and which law governs it.
- Hosted in France, in a datacenter in the Paris region
- Data residency in the EU, no dependency outside the EU in the request path
- Self-hosted fonts, no external CDN, no third-party tracker on the sign-in experience
- GDPR treated as a design constraint, not an afterthought
- Multi-tenant isolation with per-tenant branding and domains
Self-hosted fonts, no external CDN, no third-party tracker on the sign-in screen.
Controls that support your compliance
Obexal does not self-certify against every framework. It gives you the technical controls a compliance program needs, and the evidence to back them. Each card links to the page with the detail.
Audit trail
Every sensitive action is recorded and exportable, with a real-time stream endpoint you can wire into your SIEM.
Policy as code
Conditional access is versioned, simulated against 30 days of real sign-ins before it applies, and restorable to any version.
Human oversight of agents
Scoped AI agent identities with a scope ceiling, a TTL cap, an attested review and an immediate kill switch.
Lifecycle governance
SCIM 2.0 in and out, automatic deprovisioning on suspension, failures audited: the directory stays honest.
Strong authentication
Passkeys, TOTP and email codes, with policy-driven step-up. No SMS, by design.
Retention and residency
Data stays in the EU under one legal regime, which simplifies the residency and retention parts of your records of processing.
GDPR, AI Act, NIS2 and DORA
GDPR. Obexal is built to be processed lawfully under the GDPR: data hosted in the EU, no transfer outside the EU in the request path, minimised profile attributes, and audit records that document access decisions. The data processing agreement is published at /legal/dpa/ and the privacy policy at /legal/privacy/; the named list of sub-processors is available via the contact page.
AI Act. Obexal does not claim to be AI Act compliant, and no vendor can grant you that on its own. What Obexal provides is support for the obligations that fall on you when you deploy AI agents: traceability through the audit trail, a kill switch to stop an agent, scoped and time-bounded credentials, and human oversight through attested review and anomaly detection. Compliance remains your responsibility; these controls are there to make it reachable.
NIS2 and DORA. Obexal equips your access control and logging requirements; whether NIS2 or DORA applies depends on your status, not ours. We describe what the product does, and leave the legal qualification to your counsel.
Proof, not adjectives
The facts below are what a CISO or a DPO will ask for first. We state them as they are, and keep them current.
- Hosting
- France, datacenter in the Paris region
- Data residency
- European Union
- Transfers outside the EU
- None in the request path, no external CDN, self-hosted fonts
- Legal entity
- A French company being incorporated, [À REMPLIR: SIREN]; the founder answers directly
- Sub-processors
- An EU hosting provider (France) and an EU transactional email provider; named list via the contact page
- Certifications
- Not certified ISO 27001, SOC 2 or HDS to date; ISO 27001:2022 mapping documented; SecNumCloud roadmap under way
- Encryption
- TLS 1.2 minimum (1.3 preferred), application secrets encrypted at rest with AES-256-GCM, passwords hashed with Argon2id
Frequently asked questions
Is Obexal subject to the US Cloud Act?
Obexal is a European operator: hosted in France in a datacenter in the Paris region, with no dependency outside the EU in the request path, and edited by a French company being incorporated. The intent of this design is to keep your data and its operator under European jurisdiction, away from foreign extraterritorial reach.
Do you transfer personal data outside the European Union?
No. Data stays within the EU, which is what removes the Schrems II transfer question from your assessment. Self-hosted fonts and the absence of an external CDN mean the sign-in experience does not call out to external endpoints either.
Are you ISO 27001 or SOC 2 certified?
Not to date, and we say so rather than imply otherwise. An ISO 27001:2022 mapping is documented, and the SecNumCloud roadmap is under way. Request the current security file via the contact page.
Can Obexal say it is AI Act compliant?
No, and we will not. Compliance is a property of your deployment and your organisation, not of a single vendor. Obexal supports your obligations with traceability, scoped agent identities, human oversight, and a kill switch, so the compliance work you owe is reachable.
Where can I get the DPA and the list of sub-processors?
The data processing agreement is published at /legal/dpa/ and the privacy policy at /legal/privacy/. The named list of sub-processors (an EU hosting provider and an EU transactional email provider) is available via the contact page.
What is the legal structure behind Obexal?
Obexal is edited by a French company currently being incorporated; the registration number will be published as soon as incorporation completes. Until then, the founder answers directly: the contact page or +33 9 84 25 52 61. We prefer that honest answer to an empty facts table.
Can we keep our own branding and domain?
Yes. Obexal is multi-tenant and white-label: each tenant gets its own branding, its own domains, and a self-service employee portal, all within the same EU-hosted platform. See access management.
Move your identity layer under European jurisdiction.
The security file covers hosting, encryption, sub-processors and certification status, stated as they are.