Data Processing Agreement (DPA)

Preamble

This Data Processing Agreement ("DPA") constitutes the contractual annex required by article 28 of Regulation (EU) 2016/679 of 27 April 2016 ("GDPR"). It governs the processing of personal data carried out by Axelo on behalf of a professional Customer (B2B) within the framework of the contracted Services.

The DPA supplements the GTCS, the SaaS GST and the Privacy Policy. In the event of any inconsistency regarding data protection matters, the DPA prevails.

Article 1 — Parties and qualification

Data Controller — the Customer, the legal entity or professional natural person having subscribed to the Axelo Services, which determines the purposes and means of processing the personal data of its own users, customers, employees or contacts.

Processor — Axel REGNOULT, operating under the trade name Axelo (SIRET 895 214 989 00017 — 128 rue de la Boétie, 75008 Paris, France — legal@web-agency.app), who processes personal data on behalf of the Data Controller and exclusively according to the latter's instructions.

Article 2 — Purpose, nature and duration of the processing

• Purpose: provision of the Axelo Services (creation, hosting, maintenance of websites, SaaS, development services, technical support) involving the processing of personal data for which the Customer is the Controller.
• Nature: operations of collection, recording, organisation, structuring, storage, consultation, modification, retrieval, deletion, backup and destruction of data, as well as any technical operation necessary for the provision of the Services.
• Finality: performance of the main contract and provision of the Services to the Data Controller.
• Duration: for the entire duration of the main contract and until the data is processed in accordance with article 11 of this DPA.

Article 3 — Categories of data and data subjects

The categories of data processed and of data subjects depend on the Controller's configuration of the Services. By way of guidance, they include:

• Data subjects: users, customers, prospects, employees, professional contacts of the Data Controller.
• Categories of data: identity (surname, first name), contact details (email, telephone, postal address), connection data (logs, IP address), transactional data, browsing data, content entered in forms, technical metadata.
• Special categories: no sensitive data within the meaning of article 9 of the GDPR is processed unless on the express prior written instruction of the Controller, accompanied by a data protection impact assessment (DPIA).

Article 4 — Documented instructions of the Controller

The Processor processes personal data only on the documented instructions of the Controller (art. 28.3.a GDPR), including with regard to transfers to a third country or an international organisation.

The Controller's initial instructions are reflected in the main contract, the GTCS, the SaaS GST and the chosen configuration of the Services. Any additional instruction is sent in writing to legal@web-agency.app.

The Processor immediately informs the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

Article 5 — Confidentiality of personnel

The Processor ensures that persons authorised to process personal data are under an obligation of confidentiality, contractual or statutory (art. 28.3.b GDPR), and that they have received the necessary training in data protection.

Article 6 — Technical and organisational measures

In accordance with article 32 of the GDPR, the Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular:

• Encryption: TLS 1.2+ in transit (HTTPS), AES-256 or equivalent at rest for data stored on Google Cloud Platform (Firestore, Cloud Storage);
• Isolation: logical separation of data between Customers, role-based access controls (RBAC), strong authentication (2FA) for administrator accounts;
• Logging: access and operation logs kept for a minimum of six (6) months to enable incident detection and audit;
• Backups: daily encrypted backups with thirty (30) day retention, restoration tested periodically;
• Updates: regular application of security patches to all software components;
• Resilience: Google Cloud infrastructure europe-west4 with multi-zone redundancy (cf. BCP).

Article 7 — Sub-processors

The Controller hereby authorises the Processor to engage sub-processors for the performance of the Services. This constitutes a general written authorisation within the meaning of art. 28.2 of the GDPR.

As of the date hereof, the main sub-processors are:

• Google Ireland Limited / Google Cloud EMEA Limited (Dublin, Ireland) — hosting, computing, database, storage (europe-west4 region, Netherlands);
• Cloudflare, Inc. (San Francisco, USA — EU entity: Cloudflare Germany GmbH) — CDN, DDoS protection, managed DNS;
• Stripe Payments Europe, Ltd. (Dublin, Ireland) — bank card payment processing;
• Resend, Inc. or equivalent provider — sending of transactional emails (EU region).

The Processor informs the Controller of any plan to add or replace a sub-processor by written notice at least thirty (30) days before the effective date. The Controller has this period to file a reasoned objection. Failing objection within this period, the addition is deemed accepted. In the event of a persistent objection, the Controller may terminate the main contract without penalty under the conditions provided for in the GTCS.

The Processor imposes on each sub-processor, by contract, data protection obligations equivalent to those of this DPA. It remains fully liable for the performance by the sub-processor of its obligations.

Article 8 — Rights of data subjects

The Processor assists the Controller, by appropriate technical and organisational measures, insofar as possible, to enable the Controller to respond to requests for the exercise of data subjects' rights (access, rectification, erasure, restriction, portability, objection, withdrawal of consent).

Where a request is addressed directly to the Processor, the Processor forwards it to the Controller without delay and does not respond to it without written instruction from the latter.

Article 9 — Incident notification

In accordance with article 33.2 of the GDPR, the Processor notifies the Controller of any personal data breach without undue delay, and at the latest within seventy-two (72) hours after becoming aware of it.

The notification is sent by email to the contact address provided by the Controller and specifies, insofar as possible:

• the nature of the breach and the categories and approximate number of data subjects and records concerned;
• the likely consequences of the breach;
• the measures taken or proposed to address it, including to mitigate any possible adverse effects;
• the contact details of the point of contact for obtaining further information.

Article 10 — Audit

The Processor makes available to the Controller all the information necessary to demonstrate compliance with the obligations of article 28 of the GDPR and to allow the carrying out of audits, including inspections, by the Controller or by an independent third-party auditor mandated by it.

Audits are organised upon written request from the Controller, with reasonable notice of at least thirty (30) days, on-site or by documentary means, and limited to one (1) audit per year, save in the event of a proven incident. Audit costs are borne by the Controller, except where the audit reveals a substantial breach by the Processor of its obligations.

The third-party auditor signs a confidentiality undertaking beforehand. The audit may not infringe the confidentiality of the data of the Processor's other customers.

Article 11 — Fate of data at the end of the contract

At the end of the service, and at the Controller's choice expressed in writing within thirty (30) days of the end of the contract, the Processor:

• returns to the Controller all personal data in an open and reusable format; or
• irreversibly deletes all personal data and existing copies.

Failing written instruction from the Controller within the period allotted, the Processor proceeds with irreversible deletion. Backups are overwritten by rotation according to the cycle defined in the BCP.

The Processor may retain certain data strictly necessary to comply with a legal obligation (accounting, anti-money laundering, etc.), for the period provided for by law.

Article 12 — Record of activities (GDPR art. 30)

The Processor maintains a record of processing activities carried out on behalf of the Controller, in accordance with article 30.2 of the GDPR. This record is made available to the Controller and to the supervisory authority (CNIL) at their written request.

Article 13 — Transfers outside the EU

The main processing operations are carried out within the European Economic Area (Google Cloud region europe-west4, Netherlands).

Any transfers to the United States (Cloudflare, Google technical support, etc.) are governed by the Data Privacy Framework (DPF) EU — United States adopted in July 2023, supplemented by the European Commission's Standard Contractual Clauses (SCC) of 4 June 2021 where the sub-processor is not DPF-certified.

Article 14 — Governing law and jurisdiction

This DPA is governed by French law and by the GDPR. Any dispute relating to its interpretation or performance falls within the exclusive jurisdiction of the Paris Commercial Court, notwithstanding multiple defendants or warranty claims.

Data subjects have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL).