GDPR & Security

Last updated: 4/11/2026

Security Commitment

At Ederest, the security of your data is our absolute priority. We implement state-of-the-art technical and organizational measures to protect your personal information against unauthorized access, disclosure, modification, or destruction. Our security approach complies with international best practices and the requirements of the GDPR and Moroccan Law 09-08.

Technical Security Measures

Data Encryption

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for all data at rest
  • Password hashing with bcrypt
  • Application-level encryption for sensitive data

Secure Infrastructure

  • Hosted on Microsoft Azure (ISO 27001, SOC 2, PCI DSS certified)
  • Web Application Firewall (WAF) and DDoS filtering
  • Strict multi-tenant isolation
  • Daily backups with 30-day retention
  • Multi-region replication for high availability

Access Controls

  • Multi-factor authentication (MFA) available
  • Least privilege principle enforced
  • Automatic session expiration
  • Full logging of all access events
  • 24/7 monitoring and alerting

Organizational Measures

Security Policy

  • Documented and approved information security policy
  • Security incident management procedures
  • Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
  • Quarterly security policy reviews

Human Resources Management

  • Background checks for sensitive positions
  • Mandatory security and data protection training
  • Non-disclosure agreement (NDA) clauses in all contracts
  • Immediate access revocation upon employee departure

Vendor Management

  • Prior security assessment for all third-party vendors
  • Data Processing Agreements (DPA) signed with every subcontractor
  • Regular subcontractor compliance audits
  • Liability clauses in case of data breach

Security Testing and Audits

  • Semi-annual penetration tests conducted by independent providers
  • Weekly automated vulnerability scans
  • Static and dynamic source code analysis
  • Bug bounty program for responsible disclosure
  • Annual GDPR and ISO 27001 compliance audits

GDPR Compliance

Fundamental Principles

  • Lawfulness, fairness, and transparency of processing
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

Your GDPR Rights

  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw your consent at any time
  • Right to lodge a complaint with the CNDP

Exercising Your Rights

You can exercise your rights through the dedicated form in your account, by email at privacy@ederest.com, or by postal mail to our address. We commit to responding to any request within 30 days.

Data Breach Management

Notification Procedure

  • Detection through our real-time monitoring systems
  • Impact assessment within 24 hours of detection
  • Notification to the CNDP within 72 hours in accordance with the GDPR
  • Notification to affected users in case of high risk to their rights and freedoms
  • Immediate implementation of corrective measures

Breach Register

A data breach register is maintained in accordance with GDPR requirements, documenting each incident, its impact, and the measures taken.

Data Protection Impact Assessment (DPIA)

A data protection impact assessment is systematically conducted for the following cases:

  • Any new processing presenting a high risk to rights and freedoms
  • Any significant modification to an existing processing operation
  • Introduction of new processing technologies
  • Large-scale processing of sensitive data

International Data Transfers

  • Guarantee of an adequate level of protection in the destination country
  • Use of European Union Standard Contractual Clauses (SCCs)
  • Implementation of appropriate safeguards in accordance with the GDPR
  • Transparent disclosure to users regarding any international transfer

Data Protection Officer (DPO)

  • Oversight of GDPR compliance
  • Advisory and support for teams
  • Liaison with supervisory authorities (CNDP)
  • Management of rights exercise requests
  • Staff training and awareness

To contact our DPO: dpo@ederest.com. Postal address: Ederest, Casablanca, Morocco.

Certifications and Compliance

  • ISO 27001 – Information security management system
  • GDPR – General Data Protection Regulation
  • Moroccan Law 09-08 – Protection of individuals with regard to personal data processing
  • Azure Security – SOC 2 and PCI DSS certifications from our hosting provider

Vulnerability Reporting

We maintain a bug bounty program to encourage responsible disclosure of security vulnerabilities. If you discover a vulnerability, contact us at security@ederest.com. We commit to responding within 48 hours and will not pursue legal action against good-faith security researchers.

Contact

For any questions regarding security or data protection, you can reach us at the following addresses: security@ederest.com (security), privacy@ederest.com (privacy), dpo@ederest.com (data protection officer).

Back to home