Trust Center
Data Processing Agreement
Data Processing Agreement (DPA)
Version 1.1 · Effective 19 March 2026
Between
Controller
The Client
(hereinafter the “Controller”)
Processor
ENRICH CRM SAS
3 Boulevard de Sebastopol, 75001 Paris, France
RCS Paris: 932 510 217 · VAT: FR29932510217
Capital social: 100,00 €
Represented by Sylvain Charmet, CEO
(hereinafter the “Processor”)
The present Appendix DPA is incorporated into and forms an integral part of the main agreement between the Client and ENRICH CRM (the “Main Agreement”). In the event of any conflict or inconsistency between the provisions of the Main Agreement and this DPA, the provisions of this DPA shall prevail. This DPA supersedes any previously applicable terms relating to their subject matter. Processor and Client are each individually referred to as a “Party” and collectively referred to as the “Parties”.
1. DEFINITIONS
- ”GDPR” means the EU General Data Protection Regulation 2016/679.
- ”UK GDPR” means the Data Protection Act 2018 as amended.
- ”Personal Data Regulations” means any applicable law on the protection of personal data, in particular, the GDPR, the UK GDPR, and the French Data Protection Act (Loi n°78-17), as amended.
- ”Standard Contractual Clauses” means the standard contractual clauses for international data transfers as adopted by the European Commission on June 4, 2021 (Commission Implementing Decision (EU) 2021/914).
- ”UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under S.119A of the Data Protection Act 2018.
All definitions in Article 4 of the GDPR shall apply to this DPA.
2. PROCESSING SCOPE & ROLES
2.1. Roles of the Parties
The Parties agree that for the processing described in Schedule 1, the Client acts as a Controller and ENRICH CRM acts as a Processor.
2.2. Processor’s Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.3. Processing Details
The subject-matter, duration, nature, and purpose of the processing, the type of personal data, and the categories of data subjects are set out in Schedule 1.
3. CONTROLLER’S OBLIGATIONS
The Controller warrants that it has a lawful basis for the processing of Personal Data and that it will maintain a record of its processing activities as required by Article 30 of the GDPR. The Controller is solely responsible for providing necessary notices to data subjects and for obtaining any required consents.
The Controller acknowledges that its use of the services will not be the sole basis for any statutory obligation of the Processor to maintain any Personal Data.
4. PROCESSOR’S OBLIGATIONS
4.1. Confidentiality
The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2. Security of Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Schedule 2. The security measures are subject to technical progress and development. The Processor may implement alternative adequate measures.
4.3. Assistance to the Controller
Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR. In the event a data subject contacts the Processor directly to exercise their rights, the Processor will forward the request to the Controller without undue delay.
4.4. Other Assistance Obligations
The Processor shall, upon the Controller’s request and at the Controller’s cost, provide reasonable assistance to the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation).
4.5. Deletion or Return of Data
Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
4.6. Demonstrability and Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Any audit shall be:
- (i) Conducted upon at least 30 days’ prior written notice.
- (ii) Limited to one per calendar year, unless a prior audit has revealed material non-compliance.
- (iii) Carried out during regular business hours without interrupting the Processor’s normal operations.
The Controller shall bear all costs related to the audit and shall treat all information obtained during the audit as the Processor’s confidential information.
4.7. Incident Notification
The Processor shall notify the Controller without undue delay and in any case within 48 hours after becoming aware of a Personal Data Breach. Such notification shall include, at a minimum: a description of the nature of the breach; the categories and approximate number of data subjects and data records concerned; the likely consequences of the breach; the measures taken or proposed to be taken to address the breach. The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of the breach.
5. SUB-PROCESSING
5.1. General Authorization
The Controller grants a general authorization to the Processor to engage other processors (Sub-processors) for the purposes of providing the services. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes.
5.2. Objection Procedure
The Processor shall notify the Controller of new Sub-processors via its client dashboard or email. The Controller may object to the appointment of a new Sub-processor within 14 days of such notification on reasonable grounds relating to data protection. If the Parties cannot resolve the objection, the Controller may terminate the part of the service which requires the use of the contested Sub-processor.
5.3. Sub-processor Obligations
The Processor shall impose on its Sub-processors the same data protection obligations as set out in this DPA by way of a binding written contract.
6. INTERNATIONAL DATA TRANSFERS
6.1. Transfer Mechanisms
Where Personal Data transferred from the EEA to a country outside the EEA that is not subject to an adequacy decision, the transfer shall be governed by the Standard Contractual Clauses, which are incorporated by reference and form an integral part of this DPA. Where Personal Data is transferred from the UK, the UK Addendum shall apply.
6.2. SCCs Specifications
For the purposes of the Standard Contractual Clauses:
- The optional docking clause in Clause 7 shall not apply.
- The optional clause in Clause 11(a) for independent dispute resolution is deemed omitted.
- For Clause 17, Option 1 is selected, and the law of France shall govern.
- For Clause 18, the courts of France shall have jurisdiction.
- The competent supervisory authority for the purposes of Annex I.C is the CNIL (Commission Nationale de l’Informatique et des Libertés).
- The details of the processing and the technical and organisational measures are set out in Schedules 1 and 2 of this DPA.
- The list of Sub-processors in Schedule 3 of this DPA constitutes Annex III of the SCCs.
7. LIABILITY
The liability of each Party under or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Main Agreement. The total liability of the Processor towards the Controller for all data protection claims under this DPA shall not exceed the cap set in the Main Agreement.
8. GOVERNING LAW & JURISDICTION
This DPA and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of France. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Paris.
Schedules
SCHEDULE 1: PROCESSING DETAILS
Nature and Purpose of Processing: Provision of CRM services, data enrichment via SERP/LLM, and analytics as specified in the Main Agreement.
Categories of Data Subjects: Controller’s customers, prospects, and business partners; Controller’s employees and contractors.
Types of Personal Data: Professional contact details (name, business email, business phone number, social media profiles); Professional information (job title, role, seniority, company name); Any other data the Controller chooses to store or process within the ENRICH CRM service.
Processing flow (enrichment pipeline)
The following describes how enrichment requests are processed and at which step each sub-processor is involved.
Step 1
Client sends identifiers
The client submits one or more of the 13 supported identifiers. More identifiers = higher enrichment accuracy.
Contact identifiers
emailfirstNamelastNamefullNamecontactLinkedinUrlcontactLinkedinSalesNavUrlcontactLinkedinSalesNavIdCompany identifiers
domaincompanyNamecompanyLinkedinUrlcompanyLinkedinSalesNavUrlcompanyLinkedinIdcompanyLinkedinSalesNavIdStep 2
SERP queries
Sub-processor: Google SERP API · 🇪🇺 EU servers
We query the Google SERP API — a GDPR-compliant sub-processor running on EU servers — with search queries built from the submitted identifiers (name, company, domain). The response is a ranked list of public URLs. Email and numeric IDs are never included in queries.
Step 3
Public pages visited (logged-out)
No session · No cookies
Each URL is opened in a logged-out browser context on our AWS EU infrastructure. No personal session, no tracking cookies. Only the publicly visible HTML content is read — exactly what any anonymous visitor would see.
Step 4
In-house LLM processes
Sub-processor: AWS EU · Paris
Our proprietary LLM (hosted on AWS EU, Paris) reads the page content, extracts relevant data points, standardises them, and scores confidence — entirely in memory. Nothing is written to disk at this stage.
Step 5
Result returned + log written
Sub-processor: PostHog · 🇪🇺 EU
The structured enrichment result is returned directly to the client’s tool (HubSpot, Clay, CSV, API). Nothing is stored on our servers. A minimal log event is written to PostHog: input identifiers submitted + client email + success/fail outcome. The enrichment output is never logged.
Data minimisation by design: enrichment data is never written to disk during processing. The LLM reads page content in-memory, returns the result, and discards it. The only trace is a minimal log in PostHog (identifiers submitted + client email + success/fail outcome) — no enriched output is stored.
Duration of the Processing:
Personal data is processed in real-time for the purpose of enrichment. Enrichment data and LLM processing are performed in-memory only and are not stored by the Processor. Any transient data processed during a request is immediately deleted upon completion of the enrichment service. For the avoidance of doubt, no personal data is retained beyond the immediate processing cycle.
SCHEDULE 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Technical Measures
- Encryption: AES-256 encryption for data at rest and in transit (TLS 1.2+).
- Infrastructure: Hosting on ISO 27001 and SOC 2 Type II certified infrastructure (AWS Europe - Paris Region).
- Network Security: Protection against unauthorized access (firewalls, intrusion detection).
- Access Logging: Appropriate logging and monitoring of system access.
- Vulnerability Management: Regular security updates and patches.
Organisational Measures
- Confidentiality: Employee confidentiality agreements and mandatory data protection training.
- Access Control: Strict role-based access control (RBAC) policies on a need-to-know basis.
- Incident Response: A formal personal data breach response protocol with <1 hour escalation commitment.
SCHEDULE 3: AUTHORIZED SUB-PROCESSORS
| Sub-processor | Role | Location | Safeguards | Enrichment data? |
|---|---|---|---|---|
| AWS Europe | Infrastructure & LLM processing | 🇪🇺 EU (Paris) | ISO 27001 + SOC 2 | In-memory only — not stored |
| Google SERP API | SERP — search queries | 🇪🇺 EU servers | GDPR compliant | Search queries (name, company, domain) |
| PostHog | Analytics & enrichment logs | 🇪🇺 EU | EU data residency | Input identifiers + success/fail |
| HubSpot | Internal CRM & emails | 🇪🇺 EU residency | SCCs + DPF | No |
| Google Workspace | Internal email & files | 🇺🇸 USA | SCCs + DPF | No |
| Segment | Event tracking CDP | 🇺🇸 USA | SCCs + DPF | No |
| Chargebee | Subscription management | 🇺🇸 USA | SCCs + ISO 27001 | No |
| Stripe | Payment collection | 🇺🇸 USA | PCI-DSS L1 + DPF | No |
| Intercom | Support chat | 🇺🇸 USA | SCCs + DPF | No |
| Slack | Internal team messaging | 🇺🇸 USA | SCCs + DPF | No |
This document represents the Data Processing Agreement between the Controller and ENRICH CRM SAS. It is effective as of the date specified above and forms an integral part of the Main Agreement between the Parties.
Detailed sub-processor pageDPA v1.1 · Effective 19 March 2026 · ENRICH CRM SAS · RCS Paris 932 510 217