Skip to main content
DataSouv
Audit

Is your website compliant
with the CNDP?

Find out in 30 seconds. Three independent scores: CNDP compliance, technical security, European GDPR.Free audit grounded in Law 09-08 and decree 2-09-165.

✓ Non-intrusive audit✓ Multi-page crawl✓ No data retained
What the law says

CNDP compliance is no longer optional.

Law 09-08 enacted in 2009. Implementing decree in force since 2009. Sanctions enforced. A CNDP receipt is required before any processing of personal data. If your site collects a name, an email or a phone number, you are concerned.

Maximum sanction

300,000 MAD

per non-compliant processing (Law 09-08, art. 52)

CNDP receipt

Mandatory

before any processing (Law 09-08, art. 12)

Review timeline

1 to 6 months

depending on the form (F211, F112, F118)

Not sure whether you are concerned, or compliant?

Our offering · CNDP

Understand, audit, fix, file. One single agency.

We accompany you through the 4 key moments of your CNDP compliance journey. You call us for an audit, we stay as long as needed, and you walk away compliant — with your receipt.

Initial call on CNDP compliance
Step 1 — Understand
01Step 1 — Understand

We start by explaining whether you are concerned, and to what extent.

Before you pay anything, we need to know where you stand. SME, e-commerce, professional firm, SaaS, institution — each profile falls under a different CNDP framework. This first step is not billed.

  • 30-minute phone call

    No commitment, no billing, no sales script.

  • Mapping of your data processing activities

    Newsletter, CRM, forms, payment, cookies, transfers.

  • Applicable CNDP framework for your activity

    Which form, which timeline, which specific obligations.

  • Honest estimate of the work involved

    We tell you how long it takes, how much it costs, and whether you can do it yourself.

By the end of this call you know exactly what is ahead. If we are not the right partner for you, we will say so.

Read our CNDP guides
Compliance audit — analysing legal documents
Step 2 — Audit
02Step 2 — Audit

We take a snapshot of your current compliance. Precisely. With no blind spots.

The free audit at the top of the page gives you a first score. When you want to go further, we move to a thorough manual audit: we read each of your pages, we verify each processing activity, we check your processor contracts, we simulate a CNDP inspection. You will know exactly where you stand.

  • Free automated audit

    Three scores in 30 seconds: CNDP, security, GDPR.

  • Thorough manual audit

    Prioritised report delivered within 5 business days. Starting at 4,900 MAD.

  • Full documentation review

    Policy, notices, records, contracts, consent records.

  • Costed and sequenced action plan

    You know what to do, by whom, in which order, and how much it costs.

The report remains your property — you can use it with your current IT team, with no obligation to continue with us.

Try the free audit
Operational compliance roll-out
Step 3 — Fix
03Step 3 — Fix

Once the gaps are identified, we fix them. With you, or for you.

Two options depending on your team. Either your IT applies our remediation plan — we train them, we guide them remotely. Or we take it on: technical configuration, documentation drafting, or a full rebuild of a compliant-by-design site.

  • Localised privacy policy

    Genuine Law 09-08 wording, not a copy-paste of European GDPR.

  • Legal notice, records, processor contracts

    Complete, enforceable documents, up to date with the latest CNDP decisions.

  • Technical hardening of the site

    Security headers, TLS, DMARC, cookie banner with runtime blocking.

  • Full compliant-by-design site option

    For redesigns: we build a compliant site from the first commit.

On delivery, your site is compliant. And your team has what it needs to stay that way.

CNDP filing
Step 4 — File
04Step 4 — File

We file your CNDP case. You wait for the receipt. That's it.

Case file assembly, physical or digital filing depending on the case, follow-up of the review, response to CNDP's additional requests, renewals and amendments. Transparent flat fee per case. You no longer have anything to manage on the CNDP side — except signing.

  • F211 — standard declaration

    For the majority of common processing activities.

  • F112 — prior authorisation

    Sensitive data, health data, special purpose.

  • F118 — international transfer

    Hosting abroad, sub-processor outside Morocco, standard contractual clauses.

  • F214 — simplified declaration

    Cases pre-authorised by a CNDP framework decision.

When the receipt is issued, we help you display it correctly on your site — it is your best free trust signal.

Not sure where to start?

We always begin with a free 30-minute call to understand your situation. By the end of the call, you will know precisely what needs to be done — whether we handle it or not.

Our offering · Security

Legal compliance does not protect you from a breach.

You can be CNDP-compliant and get hacked the next month. The two topics are distinct. We treat technical security as a discipline of its own, with the same rigour.

Technical security audit
Audit

We look at your site as an attacker would. Without touching.

The non-intrusive audit assesses the visible surface: HTTP headers, TLS, fingerprinting, cookie configuration, security.txt, DMARC. The in-depth audit goes further: logging, secrets management, outdated dependencies, exposed admin panels.

  • Non-intrusive audit included in every engagement
  • OWASP ASVS + Mozilla Observatory methodology
  • Report with CVSS risk level
Controlled penetration test
Test

Targeted penetration test. With scope, written authorisation and insurance.

When the non-intrusive audit is not enough — regulated entity, post-incident, certification, critical deployment — we move to a pentest. Written Rules of Engagement, agreed window, reproducible exploitation proofs. Retest after remediation included.

  • Written RoE, precise scope, two-way NDA
  • Black-box, gray-box or white-box depending on context
  • Professional liability insurance, compliant with art. 607-3 of the Moroccan Penal Code
Security remediation methodology — DataSouv
Fix

We patch the identified vulnerabilities. Your IT, or us.

Once the gaps are identified, two options: your IT team applies our plan, or we step in ourselves. Hardened headers, reinforced TLS, security.txt, DMARC in reject policy, fixes for priority CVEs.

  • Prioritised remediation plan delivered turn-key
  • Implementation by your IT (we guide them) or by us
  • Post-remediation verification included
Security team training
Train

We make your team self-sufficient. So that they no longer call us.

A one-shot engagement is not enough. We train your team to remain self-sufficient after we leave: security-oriented code review for developers, digital hygiene for non-technical staff, incident management.

  • Dev workshop 4h — OWASP Top 10, secrets, code review
  • Business workshop 2h — phishing, MFA, passwords
  • Internal documentation delivered, up to date with your stack

If you do nothing, here is what can happen

Not dramatic storytelling: these are the four scenarios we observe most often on the Moroccan sites we analyse.

  • Personal data leak

    Mandatory CNDP notification (art. 35) + reputational damage

  • Compromised unpatched plugin

    Pivot to other systems, silent exfiltration

  • Email sent on your behalf

    Phishing of your customers, loss of commercial trust

  • Trackers loaded without consent

    CNDP sanction + GDPR fine if European visitors

Pillar 3 — European GDPR

If you touch Europe, the GDPR concerns you. Even from Casablanca.

Many Moroccan players think the GDPR does not concern them because they are not established in the EU. That is wrong: article 3 of the regulation makes it applicable extraterritorially in several concrete cases.

You have customers or prospects in Europe

The GDPR applies extraterritorially: if you offer goods or services to people located in the EU, you fall under it (article 3.2.a).

You process data of European citizens

Newsletter, CRM, e-commerce, B2B SaaS — as soon as a person in the EU is in your databases, your processing must comply with the regulation.

You monitor the behaviour of people in the EU

Analytics, retargeting, advertising profiling aimed at the European market — article 3.2.b, GDPR applicable even without physical presence in the EU.

CNDP vs GDPR — what differs

  • Maximum sanction

    CNDP / 09-08
    300,000 MAD per processing activity
    EU GDPR
    4% of worldwide turnover, up to €20M

  • Authority

    CNDP / 09-08
    CNDP (Morocco)
    EU GDPR
    European authority (CNIL, AEPD, etc.) + EDPB

  • Cookies

    CNDP / 09-08
    Deliberation D-474/2013
    EU GDPR
    ePrivacy + GDPR: prior explicit consent

  • DPO

    CNDP / 09-08
    Recommended for regulated entities
    EU GDPR
    Mandatory in 3 cases (art. 37)

  • International transfers

    CNDP / 09-08
    Prior F118 authorisation
    EU GDPR
    SCC, BCR, adequacy decision (chapter V)

Our services

Five service lines, with no overlap.

You engage us on a single service or on the full set. The coherence between administrative compliance, technical security and CNDP filings is what makes the difference in the long run.

Audit illustration: magnifier on compliance documents

Starting at

4,900 MAD

incl. tax, delivered within 5 business days

Audit

Full CNDP × Security × GDPR audit

Thorough report covering every category of the free tool, plus an in-depth manual analysis of your stack, internal documentation review, costed remediation recommendations and operational checklist.

  • Law 09-08 + decree 2-09-165 + GDPR compliance audit
  • Non-intrusive security audit (headers, TLS, surface, email)
  • Review of policy, notices, records, processor contracts
  • Remediation plan prioritised by risk × effort
  • Oral debrief (1h) + PDF report
Request an audit
Compliance roll-out illustration: abstract handshake

On quote

Variable

Depending on site size and number of processing activities

Compliance roll-out

Operational compliance roll-out

We execute the remediation plan: drafting compliant documents, technical configuration of the site, cookie banner with runtime blocking, hosting hardening, training of internal teams.

  • Localised privacy policy (not a GDPR copy-paste)
  • Legal notice, records of processing, processor contracts
  • Compliant cookie banner + runtime tracker blocking
  • Hardening: headers, TLS, DMARC, security.txt
  • Dev + business team training (2h workshop)
Request a quote
Filings illustration: case file with abstract stamp

On quote

Flat fee per case

Depending on complexity and transfers involved

Filings

CNDP filings — F211, F112, F118, F214, F113

Full assembly of the regulatory case file, filing with the CNDP, follow-up of the review, handling of additional requests, amendment updates. You have nothing to handle.

  • F211 — standard declaration (common processing)
  • F112 — prior authorisation (sensitive data)
  • F118 — international transfer with SCC
  • F214 — simplified declaration (CNDP framework decisions)
  • Follow-up of the review and response to CNDP requests
Request a quote
DPO illustration: methodology steps

On quote

Annual flat fee

Minimum 1-year engagement

DPO

DPO appointment or outsourced mission

Official appointment of an internal DPO with support, or an outsourced DPO mission for organisations that lack the critical mass to host the role internally but need one (regulated entities, large processing).

  • Scoping of the perimeter and the missions
  • Official appointment and CNDP declaration
  • Quarterly regulatory watch
  • Interface between your organisation and the CNDP
  • Half-yearly activity reports
Discuss the need
Pentest illustration: abstract padlock under analysis

On quote

Flat fee per mission

Depending on scope and depth

Advanced security

Penetration test (pentest)

Beyond the non-intrusive audit included in every mission, we offer targeted penetration tests with a contractual scope and written Rules of Engagement. Recommended for regulated entities or post-incident.

  • Written RoE, precise scope, agreed test window
  • Black-box, gray-box or white-box tests depending on context
  • CVSS report with reproducible exploitation proofs
  • Retest after remediation included in the package
  • Professional liability insurance and two-way NDA
Request a scoping

Why DataSouv

Three differences no other Moroccan agency combines.

Digital agencies treat compliance as a side concern. Lawyers do not touch technical security. DataSouv was built to handle both together, with a peer-to-peer posture.

Security × Compliance × GDPR

Three topics often handled separately, and therefore poorly covered. DataSouv cross-references them in a single report, with a unified remediation plan.

Open audit tool

Instant score across three axes, grounded in the full text of Law 09-08, decree 2-09-165, and recognised security standards. Public methodology.

Technical exemplarity

Our own site applies what we recommend: Mozilla Observatory A+, no third-party trackers, public records of processing, security.txt RFC 9116.

Methodology

Four steps, no magic, no black box

Our approach is documented, reproducible, and auditable. Every finding is tied to a legal article or a recognised security standard.

  1. 01

    Mapping

    Inventory of processing activities, sub-processors, data flows, and the legal basis for each one. We separate users / customers / third parties (directories).

  2. 02

    Cross audit

    Law 09-08 and decree 2-09-165 compliance + technical security (headers, TLS, attack surface). Findings prioritised by impact × effort.

  3. 03

    Remediation plan

    Costed, sequenced document with dependencies and estimates. You know exactly what must be done, by whom, in which order, and how much it costs.

  4. 04

    Roll-out & follow-up

    Technical implementation, documentation drafting, CNDP filing. Quarterly or annual recurring audits for regulated organisations.

Founder

Amine Rais

Web developer · Belgian-Moroccan dual national

About

A hybrid profile, at the intersection of:
web development, European GDPR, and Moroccan Law 09-08.

More than 5 years of web development, with a significant share in European contexts where GDPR compliance has been built into the default process since 2018. A Belgian-Moroccan returnee, now back on the Moroccan market after handling these topics from the EU side.

DataSouv starts by applying its own recommendations: F211 and F214 declarations filed with the CNDP in May 2026 (receipt under review), public records of processing, hardened HTTP headers, security.txt.

Read the full story →

Patterns observed

Three recurring patterns on the Moroccan web.

These are not client cases — we never name a client case. They are patterns we frequently encounter when publicly observing Moroccan institutional and professional websites.

Recurring pattern

Firms and independents

  • GDPR policy copied from a European template, with no reference to Law 09-08
  • Incomplete legal notice (Trade Register, ICE, publishing director)
  • CNDP receipt rarely displayed even when the declaration was filed
Recurring pattern

E-commerce and B2C SaaS

  • Cookie banner without real choice, trackers loaded before consent
  • Foreign SaaS stack with default hardening only
  • International transfers not framed (no SCC mentioned)
Recurring pattern

Sectoral directories

  • Third-party personal data published without traceable explicit consent
  • No clearly exposed objection mechanism
  • Single policy covering both visitors and listed individuals (must be split)

Do you recognise your site in one of these patterns? The free audit at the top of the page tells you precisely which ones apply to you.

Frequently asked questions

What we are asked most often.

What is the CNDP receipt, and why do I need to display it?
The receipt is the document issued by the CNDP after reviewing a declaration (F211, F214) or an authorisation (F112, F113, F118). It attests that your processing is known and accepted by the authority. Law 09-08 and decree 2-09-165 require informing data subjects about the existence of the declaration: displaying the receipt number on the website is the simplest and clearest way to meet this obligation, and is a free trust signal for your visitors.
If I am based in Morocco but have customers in Europe, do I also need to be GDPR compliant?
Yes. The GDPR applies extraterritorially in several cases (article 3.2): if you offer goods or services to people in the EU, or if you monitor their behaviour. In practice: a Moroccan e-commerce selling in France, a Moroccan SaaS with European users, or a website that retargets the European market must comply with the GDPR in addition to Law 09-08. Our free audit produces a separate score for this axis.
What is the difference between a CNDP audit, a security audit and a GDPR audit?
A CNDP audit assesses legal compliance with the Moroccan framework (policy, notices, records, rights, receipt). A security audit assesses defensive robustness (HTTP headers, TLS, attack surface, email configuration). A GDPR audit assesses compliance with the European regulation. A website can score well on one axis and poorly on others: that is why DataSouv produces three independent scores.
My website runs on Squarespace, Wix or WordPress — are you compatible?
Yes. Most SaaS platforms hosted abroad ship with default security configuration, which obliges us to work on the configurable layer (DNS, headers via service worker or proxy, custom cookie banner, localised policy) and to explicitly document transfers outside the EU/Morocco with the applicable clauses.
How much does a full compliance project cost?
The in-depth audit starts at 4,900 MAD incl. tax. Operational compliance roll-out (drafting, configuration, training) is on quote, typically between 15,000 and 50,000 MAD for an SME site depending on size and initial state. CNDP filings (F211/F112/F118/F214/F113) are billed at a flat fee per case. Request a tailored quote via the form at the bottom of the page.
How long does it take to obtain a CNDP receipt in 2026?
Review times vary: 1 to 2 months for a simple F211 declaration, 3 to 6 months for an F118 authorisation (international transfer) or F112 (prior authorisation) depending on case complexity. Article 19 of decree 2-09-165 provides for a tacit acceptance mechanism after prolonged administrative silence, but we advise against relying on it alone without written confirmation from the CNDP.
Contact

Let's talk about your site and your compliance.

Audit, compliance roll-out, CNDP filings, DPO appointment or penetration test: we start with an initial call, no commitment. Strict confidentiality — no client case is ever named, in any communication.

Response time
48 business hours
Initial call
30 minutes, no commitment
Security
security@datasouv.ma — see security.txt

Let's audit your site together.

Free score in 30 seconds, in-depth report on demand, full roll-out if you wish. No sales pressure — we start by looking at the real state of the site.

Run the free auditGet in touch

Initial call, no commitment · Reply within 48 business hours · Strict confidentiality