Frequently asked questions

The GDPR prohibits the collection and use of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as the processing of genetic data, biometric data allowing for the unique identification of a person, health information, or data related to an individual's sexual life or sexual orientation.

However, there are exceptions to this prohibition, including:

• If the data subject has given explicit consent, which must be free, specific, informed, and preferably in writing.
• If the information has been manifestly made public by the data subject.
• If this data is necessary for the protection of human life.
• If its use is justified by a public interest and authorized by the CNIL.
• If it concerns members or affiliates of an association or political, religious, philosophical, or trade union organization.

• Inform the data subjects clearly and accessibly about the use of their data (purpose, retention period, rights, etc.).
• Justify a legal basis for each processing (consent, contract, legitimate interest, etc.).
• Respect the rights of data subjects (access, rectification, erasure, objection, etc.).
• Ensure the security of personal data: appropriate technical and organizational measures must be implemented to protect data against risks of loss, unauthorized access, or disclosure.
• Document all processing activities in a record, especially starting from 250 employees or in the case of sensitive or non-occasional processing.
• Notify data breaches to the CNIL (or other competent authority) within 72 hours, and sometimes, to the affected data subjects.
• Frame relationships with subcontractors through formalized contracts, to ensure their compliance with GDPR requirements and clarify each party's responsibilities.

The three main principles of the general data protection regulation are:

1. Transparency, fairness, and legality: Personal data must be collected and processed in a transparent, lawful, and fair manner. This involves informing the data subjects about how their data will be used and ensuring that they provide informed consent.
2. Data minimization: Only the data necessary for the specific purpose should be collected. This principle encourages companies to limit the amount of personal data they process, thereby reducing risks to individuals' privacy.
3. Security and confidentiality: Personal data must be protected against unauthorized access, processing, or disclosure. Companies must implement technical and organizational measures to ensure the security of the personal data they process.

The consent management platform is marketed as a dedicated module. Depending on the number of visitors to your website, the subscription fee will vary. See our pricing page or contact us for more information.

A cookie banner is essential as soon as you store or access information on a user's device, regardless of the technology used. As soon as non-essential trackers are used — such as those for targeted advertising, audience measurement with identifiable data, or personalization — you must inform the user and obtain their prior consent.

Cookies can be classified into several categories:

1. strictly necessary cookies
2. performance cookies
3. functionality cookies

The ePrivacy Directive 2002/58/EC, amended in 2009, often referred to as the "Privacy and Electronic Communications Directive", is an initiative of the European Commission aimed at ensuring the confidentiality of communications and protecting users against certain intrusive practices in the digital realm. It is transposed differently in each Member State (in France, through the Data Protection Act, particularly regarding cookies and direct marketing).

The AI Act is marketed in a dedicated or complementary module of the Privacy offerings. Depending on the number of employees in your company, the subscription amount will vary. Please consult our pricing page or contact us to learn more.

The approach to AI systems is based on a risk assessment. The regulatory framework defines four categories of risk for artificial intelligence systems (AIS), with varying levels of regulation depending on the different levels of the pyramid.

• Unacceptable risks
• High risks
• Limited/Moderate risks
• Minimal or no risks

The AI Act aims to create a harmonized legal framework in the EU to ensure that artificial intelligence systems are safe, transparent, ethical, and respect fundamental rights. More specifically, it has the following objectives:

• Protect citizens against the use of AI deemed dangerous or intrusive (e.g., mass surveillance, behavioral manipulation)
• Regulate high-risk systems with strict obligations for transparency, human oversight, data quality, and documentation
• Promote trustworthy innovation by providing a clear framework for AI developers and companies
• Enhance public and professional user trust in AI

The AI Act, or Regulation on Artificial Intelligence, is a regulation developed to regulate and encourage the development as well as the marketing of artificial intelligence systems within the European Union. Proposed by the European Commission in April 2021, the AI Act came into effect on July 12, 2024, after three years of negotiations.

In order to cancel your subscription, please contact us adding any information that can help us identify your subscription (company name, etc).

The Dastra work environment is deployed immediately after the creation of the entity.

Yes, we offer subscriptions dedicated to large structures (large and medium-sized companies) composed of several legal entities.

Dastra is particularly well suited for corporate groups, either centralized with a single location for entity management and shared repositories, or decentralized.

Please contact us if you would like to know more information on how Dastra can help your specific organization.

The trial offer is for a period of one (1) month. After that, you can contact us directly to extend it if you need it.

Yes!

With DASTRA, you can connect yourself your own data hosting solution to host the documents stored in the application. This includes all documents stored in the document management system and documents stored in the rights management system.

You have control over the security of this hosting. The files remain under your control.

Today, we can connect Amazon S3 and Azure Blob Storage. Other services can be developed on demand, please contact us if you have a question regarding this topic.

Yes, in part !

We have completed a compliance audit of the General Accessibility Guidelines for the Administration (RGAA).

Our cookie choice management widget is fully compliant with the RGAA.

We have made the necessary changes to the source code to comply with accessibility standards.

Thus, the use of the widget and its appropriate configuration will maintain compliance with the standard for the site that hosts the widget.

More information about this standard: https://www.numerique.gouv.fr/publications/rgaa-accessibilite/

When your subscription expires and without renewing your contract, you will no longer be able to access or modify the information contained in your space. The information is deleted within a reasonable time (maximum 2 months).

We apply strict security measures to our environment, both at the application and development levels.

We maintain a technical watch and have our solution regularly audited in order to provide the maximum guarantees on the security of the data you entrust to us.

You can find out more on our page dedicated to security.

You have access to all of Dastra's features in the trial package, except for audit and data processing activities exports.

If you want to have a view of the exports, contact us !