We spoke to Christian des Lauriers - CEO - and Alessandro Fiorentino - Product Owner - about the Adequacy adventure.

SDBR News: Is Adequacy* the name of the company or the name of the software?

Christian des Lauriers: Adequacy is first and foremost the entrepreneurial adventure of a team that started out in 2003, with a core group of consultants. This ‘software technical architecture and security consulting’ activity, carried out under the Infhotep brand, was aimed at the IT departments of major accounts and software publishers. In 2007, a complementary activity was launched in the field of ‘organisational consulting’. In 2015, Infhotep was asked by its customers to help them start complying with the General Data Protection Regulation (GDPR). It was at this point that Alessandro Fiorentino joined us and convinced us to also work on data protection and security issues. Accompanied by two consultants who were equally passionate about these issues, they worked together to develop toolkits to optimize their assignments. In 2017, this joint effort led to the development of a compliance software package called Adequacy.

SDBR News: How did you move from Infhotep to Adequacy?

Christian des Lauriers: As Infhotep had a very good image as a consultancy for major accounts and local authorities, we were able to place the Adequacy compliance assistance software with several of our major customers. Our initial successes convinced us to develop this recurring revenue-generating business and, in 2021, Infhotep raised €1.2 million, with the aim of building and financing the commercial and technological development of Adequacy. In 2024, Infhotep will have completed its transformation into a full-fledged software publisher, having sold its consulting business (excluding GDPR) to TNP Consultants (which is also an Adequacy partner). And the name of the compliance software has become that of the company: Adequacy.

SDBR News: Is Adequacy a software package with drawers?

Alessandro Fiorentino: I'd say it's more like a ‘Russian doll’, because Adequacy is a platform with 3 main offerings: Start, Essential and Expert. Then, with the Add-Ons, we can respond to issues that are more specific to certain organizations and that are not common to all our customers. Unlike some of our competitors, who have very integrated offerings, we have taken a different methodological approach to building Adequacy. We make a point of never shaping our customers' way of doing things, while offering them a structured approach: each DPO can therefore integrate his or her own culture into our software. We can deploy Adequacy in 72 hours, in standard plug and play format. For a large account, which will require governance and adaptations, we can of course integrate ourselves into a project management system that will involve a 3 or 4 month roll-out to meet the needs of ‘change’ and specific configuration. Our offering evolves in line with the challenges faced by our customers; we refuse to expand our functional coverage for the sake of expediency and remain focused on our core business, data management and protection. This is where we are needed. And that's already a pretty broad playing field.

SDBR News: Is Adequacy integrating AI?

Alessandro Fiorentino: We will soon be upgrading Adequacy's functional coverage to support compliance with the AI Act, for our customers who are integrating AI into their activities. As well as supporting our customers in this area, we are also preparing to integrate AI into the Adequacy platform. However, we are a sovereign solution and we want to remain so. We are therefore working on deploying an open source AI that we can guarantee will remain confidential, so that our customers' activities are never exposed. Adequacy is hosted by OVH, which is also one of our customers for its GDPR compliance. Adequacy's objective remains to support businesses, and in particular the development of the DPO profession.

SDBR News: How do you see the DPO profession evolving?

Alessandro Fiorentino: The job of DPO requires legal and technical expertise in data protection, as well as knowledge of the sector-specific regulations of the organization for which he or she is appointed. Considered a new profession since the RGPD came into force, it should nevertheless be remembered that the ‘Datenschutzbeauftragter’ was, as early as 1977 in Germany, a compulsory function for organizations with more than ten employees.

Directive 95/46/EC of 24 October 1995 subsequently allowed this function to be generalized within the European Union, opening up the possibility for public and private organizations to appoint a person responsible for the protection of personal data (DPO). In 2004, France transposed this directive into its Data Protection Act, creating the position of Data Protection Correspondent (CIL). Seven years on, DPOs now find themselves in a context of European regulatory inflation: DMA (Digital Markets Act), DSA (Digital Services Act), NIS2 (Network & Information Security), CRA (European Cyber Resilience Act), and so on. We have the feeling that tomorrow's DPO will be the data compliance officer. Under pressure from the arrival of AI, he or she will have to succeed in working with all the company's major departments, just as he or she has succeeded in working with the CISOs to comply with the GDPR since 2018.

SDBR News: What are the future developments for Adequacy software?

Alessandro Fiorentino: In view of future developments, we believe, for example, that the CISO will soon need the DPO for NIS2. The CISO has been a privileged partner of the DPO in identifying the organizational and technical measures for the GDPR; it is quite possible that he will in turn be able to support the CISO in ensuring the principle of ‘accountability’ in the service of cybersecurity. In terms of its roadmap, Adequacy aims to support the development of the DPO's role, with good coverage of everything to do with privacy**. Adequacy has been doing security for a long time, but the difference now is that we're saying so. We will shortly be releasing an Add-On that will enable us to handle multi-regulation. In particular, it will enable us to adapt a data processing form that complies with Article 30 of the GDPR to comply with its equivalent in the Personal Information Protection Law (PIPL) of the People's Republic of China or the Digital Personal Data Protection (DPDP) Act for India. There are 110 regulations around the world, and we have already finalised the comparative law on 52 regulations, which will make it easier for companies operating internationally.

SDBR News: Isn't Adequacy a tool for large companies that are able to set up a DPO?

Christian des Lauriers : More and more companies are outsourcing their DPO because they can't or don't want to bring the function in-house. In this context, Adequacy is perfectly usable in SaaS mode, for small entities in the private or public sector that appoint external DPOs (for example, small municipalities that appoint departmental management centres to support them in their compliance). We currently have more than 10,000 Adequacy users in over 80 countries, including Le Groupe Figaro, Generali, Total Energies, Naval Group, Dassault Aviation, Groupe Bouygues, Sopra Steria, schools, local authorities, hospitals, etc.

SDBR News: What's your strategy for the future?

Christian des Lauriers: To move up a gear, we've decided to strengthen the company's governance and management: we welcomed Bernard Fort (Founder of Tennaxia) and Bernard Kirsch (Business Angel, Head of Data Privacy in a major international account) to the Board at the end of 2024. By 2026, we should be preparing to raise significant funds to take Adequacy to a new stage of development.

Adequacy will be present at the InCyber Forum - to be held in Lille from 1 to 03 April 2025 - on stand G 41.

* https://www.adequacy.app  

** Privacy: refers to the right of individuals to keep certain personal information confidential and to control how this information is used and shared.