DATA PROCESSING AGREEMENT (DPA)

Version 1.0 · Effective Effective 01 September 2024

Between:
The Client
(hereinafter the “Controller”)

and
ENRICH CRM SAS
3 Boulevard de Sebastopol, 75001 Paris, France
RCS Paris: 932 510 217 · VAT: FR29932510217
Capital social: 100,00 €
Represented by Sylvain Charmet, CEO
(hereinafter the “Processor”)

The present Appendix DPA is incorporated into and forms an integral part of the main agreement between the Client and ENRICH CRM (the “Main Agreement”). In the event of any conflict or inconsistency between the provisions of the Main Agreement and this DPA, the provisions of this DPA shall prevail. This DPA supersedes any previously applicable terms relating to their subject matter.

Processor and Client are each individually referred to as a “Party” and collectively referred to as the “Parties”.

1. DEFINITIONS

“GDPR” means the EU General Data Protection Regulation 2016/679.
“UK GDPR” means the Data Protection Act 2018 as amended.
“Personal Data Regulations” means any applicable law on the protection of personal data, in particular, the GDPR, the UK GDPR, and the French Data Protection Act (Loi n°78-17), as amended.
“Standard Contractual Clauses” means the standard contractual clauses for international data transfers as adopted by the European Commission on June 4, 2021 (Commission Implementing Decision (EU) 2021/914).
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under S.119A of the Data Protection Act 2018.

All definitions in Article 4 of the GDPR shall apply to this DPA.

2. PROCESSING SCOPE & ROLES

2.1. Roles of the Parties

The Parties agree that for the processing described in Schedule 1, the Client acts as a Controller and ENRICH CRM acts as a Processor.

2.2. Processor’s Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.3. Processing Details

The subject-matter, duration, nature, and purpose of the processing, the type of personal data, and the categories of data subjects are set out in Schedule 1.

3. CONTROLLER’S OBLIGATIONS

The Controller warrants that it has a lawful basis for the processing of Personal Data and that it will maintain a record of its processing activities as required by Article 30 of the GDPR. The Controller is solely responsible for providing necessary notices to data subjects and for obtaining any required consents.

The Controller acknowledges that its use of the services will not be the sole basis for any statutory obligation of the Processor to maintain any Personal Data.

4. PROCESSOR’S OBLIGATIONS

4.1. Confidentiality

The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2. Security of Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Schedule 2. The security measures are subject to technical progress and development. The Processor may implement alternative adequate measures.

4.3. Assistance to the Controller

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.

In the event a data subject contacts the Processor directly to exercise their rights, the Processor will forward the request to the Controller without undue delay.

4.4. Other Assistance Obligations

The Processor shall, upon the Controller’s request and at the Controller’s cost, provide reasonable assistance to the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation).

4.5. Deletion or Return of Data

Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

4.6. Demonstrability and Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Any audit shall be:

(i) Conducted upon at least 30 days’ prior written notice.
(ii) Limited to one per calendar year, unless a prior audit has revealed material non-compliance.
(iii) Carried out during regular business hours without interrupting the Processor’s normal operations.

The Controller shall bear all costs related to the audit and shall treat all information obtained during the audit as the Processor’s confidential information.

4.7. Incident Notification

The Processor shall notify the Controller without undue delay and in any case within 48 hours after becoming aware of a Personal Data Breach. Such notification shall include, at a minimum:

A description of the nature of the breach.
The categories and approximate number of data subjects and data records concerned.
The likely consequences of the breach.
The measures taken or proposed to be taken to address the breach.

The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of the breach.

5. SUB-PROCESSING

5.1. General Authorization

The Controller grants a general authorization to the Processor to engage other processors (Sub-processors) for the purposes of providing the services. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes.

5.2. Objection Procedure

The Processor shall notify the Controller of new Sub-processors via its client dashboard or email. The Controller may object to the appointment of a new Sub-processor within 14 days of such notification on reasonable grounds relating to data protection. If the Parties cannot resolve the objection, the Controller may terminate the part of the service which requires the use of the contested Sub-processor.

5.3. Sub-processor Obligations

The Processor shall impose on its Sub-processors the same data protection obligations as set out in this DPA by way of a binding written contract.

6. INTERNATIONAL DATA TRANSFERS

6.1. Transfer Mechanisms

Where Personal Data transferred from the EEA to a country outside the EEA that is not subject to an adequacy decision, the transfer shall be governed by the Standard Contractual Clauses, which are incorporated by reference and form an integral part of this DPA. Where Personal Data is transferred from the UK, the UK Addendum shall apply.

6.2. SCCs Specifications

For the purposes of the Standard Contractual Clauses:

The optional docking clause in Clause 7 shall not apply.
The optional clause in Clause 11(a) for independent dispute resolution is deemed omitted.
For Clause 17, Option 1 is selected, and the law of France shall govern.
For Clause 18, the courts of France shall have jurisdiction.
The competent supervisory authority for the purposes of Annex I.C is the CNIL (Commission Nationale de l’Informatique et des Libertés).
The details of the processing and the technical and organisational measures are set out in Schedules 1 and 2 of this DPA, which constitute Annex I and Annex II of the SCCs, respectively.
The list of Sub-processors in Schedule 3 of this DPA constitutes Annex III of the SCCs.

7. LIABILITY

The liability of each Party under or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Main Agreement. The total liability of the Processor towards the Controller for all data protection claims under this DPA shall not exceed the cap set in the Main Agreement.

8. GOVERNING LAW & JURISDICTION

This DPA and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of France. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Paris.

SCHEDULE 1: PROCESSING DETAILS

Nature and Purpose of Processing: Provision of CRM services, data enrichment, and analytics as specified in the Main Agreement.

Categories of Data Subjects:

Controller’s customers, prospects, and business partners.
Controller’s employees and contractors.

Types of Personal Data:

Professional contact details (name, business email, business phone number, social media profiles).
Professional information (job title, role, seniority, company name).
Any other data the Controller chooses to store or process within the ENRICH CRM service.

Duration of the Processing: Personal data is processed in real-time for the purpose of enrichment and is not stored by the Processor. Any transient data processed during a request is immediately deleted upon completion of the enrichment service. For the avoidance of doubt, no personal data is retained beyond the immediate processing cycle, and no data remains stored after the termination of the Main Agreement. The 30-day post-termination period mentioned elsewhere does not apply to personal data storage, as no such storage occurs.

SCHEDULE 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Technical Measures:

Encryption: AES-256 encryption for data at rest and in transit (TLS 1.2+). Login credentials and tokens are hashed and salted.
Infrastructure: Hosting on SOC 2 Type II certified infrastructure (AWS).
Network Security: Protection against unauthorized access (firewalls, intrusion detection).
Access Logging: Appropriate logging and monitoring of system access.
Vulnerability Management: Regular security updates and patches.

Organisational Measures:

Confidentiality: Employee confidentiality agreements and mandatory data protection training.
Access Control: Strict role-based access control (RBAC) policies on a need-to-know basis.
Incident Response: A formal personal data breach response protocol with <1 hour escalation commitment.
Asset Management: Password policies, automatic session locking, and deprovisioning of user accounts upon termination.

SCHEDULE 3: AUTHORIZED SUB-PROCESSORS

The Controller authorizes the use of the following Sub-processors:

Name	Service	Location	Safeguards for International Transfers
Amazon Web Services (AWS)	Cloud Hosting	USA	Standard Contractual Clauses + ISO 27001 Certification
Stripe	Payment Processing	USA	Data Privacy Framework (DPF) Certification
PostHog	Analytics	USA	Standard Contractual Clauses + DPF Certification
Google SERP	Online Research	USA	ISO 27001/27017/27018 + SOC 2/3 + DPF Certification

This document represents the Data Processing Agreement between the Controller and ENRICH CRM SAS. It is effective as of the date specified above and forms an integral part of the Main Agreement between the Parties.