+33 9 84 25 52 61
Sign in
Sovereignty and compliance

Your identity provider, under European jurisdiction.

Obexal is designed in the European Union and hosted in France, with no dependency outside the EU in the request path. One legal regime, one place your data lives, and controls built to support your compliance work.

The problem with a US-anchored identity layer

Your directory holds every employee, every access, every audit trail. Where it lives, and which law governs it, is not a detail.

Cloud Act reach

US law can compel a US provider to hand over data it controls, wherever that data physically sits. An EU data center owned by a US parent does not remove that exposure.

Extraterritoriality

When your identity provider answers to a foreign jurisdiction, access decisions about your workforce can be shaped by rules you never agreed to.

Schrems II

Transfers of personal data to the US carry legal uncertainty. Keeping the data and the operator inside the EU removes the transfer from the equation.

Split accountability

Multiple providers across regions and legal regimes make a coherent answer to your DPO harder to give. One EU operator is one clear line of accountability.

What sovereign means here, concretely

Hosted in France, no dependency outside the EU

Sovereignty is not a slogan on this page. It is a set of choices you can inspect: where the software runs, what it calls out to, and which law governs it.

  • Hosted in France, in a datacenter in the Paris region
  • Data residency in the EU, no dependency outside the EU in the request path
  • Self-hosted fonts, no external CDN, no third-party tracker on the sign-in experience
  • GDPR treated as a design constraint, not an afterthought
  • Multi-tenant isolation with per-tenant branding and domains
Your user
accounts.obexal.comhosted in France, Paris region
Responseno call outside the EU in the request path

Self-hosted fonts, no external CDN, no third-party tracker on the sign-in screen.

GDPR, AI Act, NIS2 and DORA

GDPR. Obexal is built to be processed lawfully under the GDPR: data hosted in the EU, no transfer outside the EU in the request path, minimised profile attributes, and audit records that document access decisions. The data processing agreement is published at /legal/dpa/ and the privacy policy at /legal/privacy/; the named list of sub-processors is available via the contact page.

AI Act. Obexal does not claim to be AI Act compliant, and no vendor can grant you that on its own. What Obexal provides is support for the obligations that fall on you when you deploy AI agents: traceability through the audit trail, a kill switch to stop an agent, scoped and time-bounded credentials, and human oversight through attested review and anomaly detection. Compliance remains your responsibility; these controls are there to make it reachable.

NIS2 and DORA. Obexal equips your access control and logging requirements; whether NIS2 or DORA applies depends on your status, not ours. We describe what the product does, and leave the legal qualification to your counsel.

Proof, not adjectives

The facts below are what a CISO or a DPO will ask for first. We state them as they are, and keep them current.

Hosting
France, datacenter in the Paris region
Data residency
European Union
Transfers outside the EU
None in the request path, no external CDN, self-hosted fonts
Legal entity
A French company being incorporated, [À REMPLIR: SIREN]; the founder answers directly
Sub-processors
An EU hosting provider (France) and an EU transactional email provider; named list via the contact page
Certifications
Not certified ISO 27001, SOC 2 or HDS to date; ISO 27001:2022 mapping documented; SecNumCloud roadmap under way
Encryption
TLS 1.2 minimum (1.3 preferred), application secrets encrypted at rest with AES-256-GCM, passwords hashed with Argon2id

Frequently asked questions

Is Obexal subject to the US Cloud Act?

Obexal is a European operator: hosted in France in a datacenter in the Paris region, with no dependency outside the EU in the request path, and edited by a French company being incorporated. The intent of this design is to keep your data and its operator under European jurisdiction, away from foreign extraterritorial reach.

Do you transfer personal data outside the European Union?

No. Data stays within the EU, which is what removes the Schrems II transfer question from your assessment. Self-hosted fonts and the absence of an external CDN mean the sign-in experience does not call out to external endpoints either.

Are you ISO 27001 or SOC 2 certified?

Not to date, and we say so rather than imply otherwise. An ISO 27001:2022 mapping is documented, and the SecNumCloud roadmap is under way. Request the current security file via the contact page.

Can Obexal say it is AI Act compliant?

No, and we will not. Compliance is a property of your deployment and your organisation, not of a single vendor. Obexal supports your obligations with traceability, scoped agent identities, human oversight, and a kill switch, so the compliance work you owe is reachable.

Where can I get the DPA and the list of sub-processors?

The data processing agreement is published at /legal/dpa/ and the privacy policy at /legal/privacy/. The named list of sub-processors (an EU hosting provider and an EU transactional email provider) is available via the contact page.

What is the legal structure behind Obexal?

Obexal is edited by a French company currently being incorporated; the registration number will be published as soon as incorporation completes. Until then, the founder answers directly: the contact page or +33 9 84 25 52 61. We prefer that honest answer to an empty facts table.

Can we keep our own branding and domain?

Yes. Obexal is multi-tenant and white-label: each tenant gets its own branding, its own domains, and a self-service employee portal, all within the same EU-hosted platform. See access management.

Move your identity layer under European jurisdiction.

The security file covers hosting, encryption, sub-processors and certification status, stated as they are.