DATA PROCESSING AGREEMENT (DPA)

Version 1.0 · Effective 01 September 2024

Between:
The Client (hereinafter the “Controller”)
and
ENRICH CRM SAS
3 Boulevard de Sebastopol, 75001 Paris, France
RCS Paris: 932 510 217 · VAT: FR29932510217
Capital social: 100,00 €
Represented by Sylvain Charmet, CEO
(hereinafter the “Processor”)

PREAMBLE

This DPA forms an integral part of the Main Agreement between the Parties. In case of conflict between this DPA and the Main Agreement, this DPA prevails. This agreement supersedes all prior data processing terms.

1. DEFINITIONS

  • “GDPR”: Regulation (EU) 2016/679

  • “UK GDPR”: The Data Protection Act 2018 as amended

  • “Personal Data Regulations”: GDPR + French Data Protection Act (Loi n°78-17)

  • “EEA”: European Economic Area

  • All terms from Article 4 GDPR apply

2. PROCESSING SCOPE & ROLES

2.1 Roles

  • Controller determines purposes/means of processing

  • Processor acts exclusively on Controller’s documented instructions

2.2 Processing Details

As described in Schedule 1: CRM services, data enrichment, analytics

3. CONTROLLER OBLIGATIONS

3.1 Compliance

Controller warrants lawful basis for processing and maintenance of processing records

4. PROCESSOR OBLIGATIONS

4.1 Core Requirements

  • Process data only per instructions

  • Ensure confidentiality through employee NDAs

  • Implement security measures per Schedule 2

4.2 Incident Management

Notify Controller within 48 hours of breach discovery

4.3 Data Deletion

Delete all data within 30 days post-termination

5. SUB-PROCESSING

5.1 Authorization

Controller approves Sub-processors listed in Schedule 3

5.2 Change Procedure

  • Notification via client dashboard

  • 14-day objection period

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfer Mechanisms

  • Transfers outside EEA: EU Standard Contractual Clauses (2021/914)

  • Transfers outside UK: UK International Data Transfer Addendum

6.2 SCCs Specifications

Clause

Selection

Governing Law

French Law

Jurisdiction

Courts of Paris

Competent Authority

CNIL

7. AUDITS & COMPLIANCE

Annual audit rights with 30 days’ notice · Costs borne by Controller

8. LIABILITY & TERM

Liability capped at the contract value.

9. GOVERNING LAW & JURISDICTION

French Law · Exclusive jurisdiction of Paris Commercial Court

SCHEDULE 1: PROCESSING DETAILS

Element

Description

Nature/Purpose

CRM services, data enrichment, analytics

Data Categories

Professional contact details, company info

Data Subjects

Controller’s customers, employees, prospects

Retention

Service duration + 30 days 

SCHEDULE 2: SECURITY MEASURES

Technical:

  • AES-256 encryption for login credentials and tokens

  • SOC 2 Type II certified infrastructure

Organizational:

  • Employee confidentiality agreements

  • Access control policies (RBAC)

  • Breach response protocol (<1h escalation)

SCHEDULE 3: SUB-PROCESSORS

Name

Service

Location

Safeguards

AWS

Cloud Hosting

USA

SCCs + ISO 27001

Stripe

Payment Processing

USA

DPF Certification

PostHog

Analytics

USA

SCCs + DPF

Google SERP

Online research

USA

ISO 27001/27017/27018 + SOC 2/3 + DPF