Privacy and Security
Platform
Hosting
The Wikit solution is distributed in SaaS mode and is hosted in France by OVHcloud, within ISO 27001 certified datacenters.
The architecture is based on a shared responsibility model:
- OVHcloud ensures the physical and infrastructural security of the datacenters.
- Wikit ensures the application, logical, and organizational security of the platform.
The components of the solution are entirely developed in France by Wikit teams.
Governance and Security Management
Wikit maintains:
- A documented Security Assurance Plan (SAP),
- An annual risk analysis,
- A risk treatment plan tracked in the GRC tool CISO Assistant,
- A continuous improvement program.
A penetration test (pentest) is performed at least annually by a specialized external provider, as well as after any significant architecture change.
The SAP and associated operational documents (risk analysis, BCP/DRP, internal procedures) are classified as restricted distribution. They can be presented as part of an audit process, tender, or after signing a non-disclosure agreement. Request access to the SAP
Architecture and Data Processing
Development, pre-production, and production environments are strictly separated.
Customer data is stored in the OVHcloud infrastructure in France for the platform developed by Wikit.
Flows are encrypted and access is controlled according to the principle of least privilege.
LLM Model Providers
The Wikit solution is designed to allow the configurable use of Large Language Model (LLM) providers, according to client needs.
| Provider | Data reuse for training | Data location in EU | Policy / Documentation |
|---|---|---|---|
| Scaleway Generative API | No | Yes (France) | https://www.scaleway.com/en/legal/privacy-policy/ |
| OVHcloud AI Endpoints | No | Yes (France) | https://help.ovhcloud.com/csm/en-public-cloud-ai-endpoints-capabilities?id=kb_article_view&sysparm_article=KB0065421 |
| Mistral AI | No | Yes | https://mistral.ai/privacy-policy |
| Microsoft Azure OpenAI | No | Yes | https://learn.microsoft.com/legal/cognitive-services |
| OpenAI | No | No | https://openai.com/policies/privacy-policy |
Applied principles:
- No model changes in production without client validation.
- Data transmitted to LLMs is not used for model training, in accordance with the contractual commitments of the selected providers.
- Whenever possible, processing is carried out in the European Union.
- Providers are selected based on their security and compliance commitments.
Vectorization Models
Wikit offers several options for vectorization models (e.g., Azure OpenAI Text Embedding, Mistral Embed, other compatible models depending on configuration).
The choice of model is adaptable according to the client's functional, regulatory, or sovereignty requirements.
Email Sending
Email dispatch is outsourced to Brevo (formerly Sendinblue) for certain administrative features.
The hosting of this service is carried out in the European Union.
Availability
Wikit commits to a contractual availability rate of 99.5%, excluding planned maintenance periods.
A status page allows for monitoring service availability.
Technical Measures
Encryption
- Communication encryption via HTTPS (TLS 1.2 or higher)
- User password encryption (secure hashing such as BCrypt)
- Encryption of sensitive data at rest via native hosting solution mechanisms
Access Management
- RBAC (Role-Based Access Control) model
- Principle of least privilege
- MFA enabled for administrator accounts and technical access
- Logging of access to critical systems
Non-IT employees do not have administrator rights on their workstations, unless validated justification is provided.
Application Security
- Systematic code review
- Automated dependency analysis
- Vulnerability monitoring (CERT/ANSSI)
- Non-regression testing before production release
Backups and Continuity
Backups are automated, stored off-site, and periodically tested.
Wikit has a formalized Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), maintained separately.
Restoration tests are performed regularly.
Organizational Measures
Joiners and Leavers Management
A formalized onboarding and offboarding procedure governs:
- Account creation,
- Rights attribution,
- Immediate revocation of access upon departure,
- Equipment return.
The process is reviewed annually.
Awareness and Training
All employees are regularly sensitized to cybersecurity issues and GDPR requirements.
Incident Management
A formalized procedure governs the detection, qualification, and remediation of security incidents.
In the event of an incident impacting a client, notification is made as soon as possible, accompanied by a detailed report available upon request.
Personal Data Protection
Wikit acts as a processor within the meaning of the GDPR.
The processing operations carried out are documented and sub-processors are selected based on security and compliance criteria.
Data retention is aligned with the contractual duration and applicable regulatory requirements.
Commitment
Wikit adopts a security approach proportionate to its size, aligned with the state of the art for SaaS editors integrating artificial intelligence technologies.
Data security and confidentiality constitute a strategic axis of the platform's development.