Docult relies on an in-house AI engine, infrastructure hosted in France, and contractual commitments aligned with GDPR and lawyersâ professional secrecy.
Docultâs guarantees are not abstract promises: they are built into how documents are detected, redacted, stored and audited.
The Docult AI engine, combining business rules, regex patterns and specialised detection, limits data exposure; sensitive workflows stay on French infrastructure.
Customer data is hosted at OVHcloud on infrastructure located in France.
DPA, documented subprocessors, TOMs and a pre-filled DPIA template support law firms.
Docult redaction and pseudonymization rely on a proprietary AI engine: business rules, term lists, regex patterns and specialised detection applied reproducibly to documents.
Sensitive-entity detection runs on Docult infrastructure hosted in France. Source documents are not sent to a third-party cloud provider for this step.
âStrict regexâ mode covers the most sensitive workflows: pseudonymization with no external calls, suited to the strictest environments (professional secrecy, HDS hosting).
Docult application servers are hosted at OVHcloud on infrastructure located in France. OVHcloud is a French company subject to French and EU law, ISO 27001 and ISO 27701 certified, with an ecosystem that includes ANSSI SecNumCloud-qualified offerings.
Customer data (source documents, reversibility tables, processing metadata) does not leave this perimeter for core operations. Encryption is applied in transit (TLS 1.2 minimum, TLS 1.3 by default) and at rest (AES-256).
Docult pseudonymization is reversible: the mapping table between original entities and pseudonymized equivalents is encrypted, isolated from the pseudonymized document and accessible only to authorized firm users.
By default, Docult processes documents on its servers in France: extraction, detection by the Docult AI engine, rules and regex patterns, reversible redaction and encrypted storage. No cleartext data is sent to a third-party cloud model for these core operations.
Detection, redaction and reporting features rely on the Docult engine developed for this offer. Customer documents are not used to train a third-party model.
âLocalâ mode removes all outbound calls: detection, pseudonymization and reports rely solely on the Docult engine and built-in templates.
The client firm is controller within the meaning of Article 4(7) GDPR. Docult acts as processor within the meaning of Article 4(8). This allocation is formalized in our terms and the associated DPA.
Docult never processes data for its own purposes. Processing relies on the firmâs legal basis, including legitimate interest in protecting document subcontracting and performance of the lawyerâs mandate, together with professional secrecy.
Retention periods are configurable per firm. By default, source documents are deleted when processing ends, and only pseudonymized artefacts and the reversibility table are kept per firm settings.
Lawyersâ professional secrecy, protected under French law, is stricter than GDPR alone. Docultâs architecture was designed with this framework in mind.
Primary redaction runs inside the Docult perimeter through our specialised engine. Processing settings are configurable per firm, with a local mode and no outbound call.
This design allows lawyers to meet confidentiality obligations while using document assistance designed for legal pseudonymization.
Docult offers a âlocalâ platform mode: no data leaves the Docult server, detection combines regex and the integrated engine, pseudonymization stays in strict mode, GDPR reports are generated by the Docult engine and its templates.
This mode suits firms with strong constraints (professional secrecy, HDS hosting, âzero external cloud processingâ policies) while keeping reversible redaction and auditability.
On request, Docult provides client firms with the documents needed for security, compliance and DPO reviews.
For any question about Docult security, compliance or audits, contact us at the dedicated address listed in our legal notice.