GDPR compliance and digital sovereignty: file sharing hosted in France

The General Data Protection Regulation sets principles that apply to any processing (Article 5): data minimisation, purpose limitation, storage limitation, integrity and confidentiality. Pli Scellé applies these principles in the way the service actually works, not as a layer bolted on afterwards.

Minimisation (Article 5.1.c): to share a file or a secret, the service asks only for what is strictly necessary. No marketing tracking is embedded: no Google Analytics, no advertising pixel, no third-party profiling cookie. The only data processed serves to deliver the share and secure it.

Security (Article 32): Article 32 requires technical measures proportionate to the risk. Pli Scellé encrypts content, offers a zero-knowledge end-to-end mode (AES-256-GCM) where the server never decrypts the file, and scans unencrypted attachments with ClamAV. Encryption and pseudonymisation are named in Article 32 as appropriate measures.

Data subject rights (Articles 15 to 22): access, rectification, erasure, restriction, portability, objection. The ephemeral architecture makes erasure straightforward, since the data disappears on its own at expiry. For rights requests, the publisher remains the contact point as data controller.

Hosting in France is not enough if the service publisher falls under US law. The Clarifying Lawful Overseas Use of Data Act (Cloud Act), enacted in the United States on 23 March 2018, allows US authorities to compel a company subject to US law to hand over data, regardless of where that data is physically stored. A US subsidiary, or a publisher whose parent company is American, falls within scope. The concrete consequence: files hosted on a server located in France, but operated by an actor under US law, remain legally reachable by a US order, with no mutual legal assistance and no notice to the person concerned.

This is precisely the conflict the Court of Justice of the European Union sanctioned in the Schrems II ruling of 16 July 2020. The Court invalidated the Privacy Shield, holding that US surveillance (Section 702 FISA, Executive Order 12333) was a disproportionate intrusion into the privacy of Europeans. Standard contractual clauses remain valid, but only with supplementary measures and a case-by-case risk assessment. Since 10 July 2023, an adequacy decision (EU-US Data Privacy Framework) restores a framework for transfers to certified US entities; for the others, standard contractual clauses and an impact assessment remain necessary.

Pli Scellé removes the root of the problem. The publisher is SHPV FRANCE SAS, a company under French law. Files and share data are hosted in datacenters located in metropolitan France, with no transfer outside the European Union. No US publisher in the file hosting chain means no Cloud Act grip on those files.

The end-to-end encryption mode rests on a verifiable promise: the decryption key never leaves the browser. It is passed to the recipient through the URL fragment, the part that is never sent to the server by the design of the HTTP protocol. In zero-knowledge mode, the server stores encrypted content it is unable to read. Even an order served on the host, or a breach of the storage, yields only ciphertext that is useless without the key held solely by the recipient.

This model changes the nature of the risk. Security does not rest only on the trust placed in the operator, but on a technical impossibility of reading on the server side. For a DPO, this shrinks the surface of genuinely exposed data: content that even the controller cannot decrypt in E2E mode is not accessible to a third party who would gain access to the server.

Storage limitation (Article 5.1.e) forbids keeping data longer than necessary. The French data protection authority (CNIL) makes this one of its recurring enforcement points. Pli Scellé answers this obligation through ephemerality: depending on the plan, a share expires between one hour and thirty days, then undergoes automatic purging. Erasure is not an action to request, it is the default behaviour of the service. This gives concrete effect to the right to erasure (Article 17) with no manual intervention.

Audit logs serve a different need: traceability and evidence. They are retained 30 days on the Essential plan and 90 days on the Pro plan, and exportable from the Pro plan. A controller can document who shared what, and when, which serves both security (Article 32) and accountability (Article 5.2).

A point of transparency on payment: billing is handled by Stripe Payments Europe, an entity established in Dublin, Ireland. No shared file passes through Stripe; only billing data is concerned. Stripe Payments Europe relies technically on Stripe Inc in the United States; those transfers are covered by standard contractual clauses and by the EU-US adequacy decision (Data Privacy Framework, to which Stripe is certified). The boundary is clear: files and share data stay in France, payment relies on a duly framed processor.