Data Processing Agreement (DPA)

The processor processes personal data transmitted by the controller solely for the purpose of database anonymization in the context of the subscribed service.

Processing consists of connecting to source databases provided by the customer, reading the data, transforming it according to anonymization rules configured by the customer, and writing to the target database designated by the customer. No full copy is retained by the processor beyond the job execution duration.

Data categories are determined by the customer through the content of databases connected to the service. The customer is solely responsible for the legality of these processings and for informing the data subjects.

The processor commits to: process data per documented instructions from the controller; ensure confidentiality of authorized persons; implement appropriate technical and organizational measures (GDPR article 32); notify the controller of any breach within 48 hours of discovery; assist the controller in complying with its obligations.

The processor may use sub-processors (host, transactional email) whose up-to-date list is available on request. Any change is subject to prior notification to the customer with possibility of motivated objection.

All processing is performed within the European Union. No transfer outside the EU is made. The processor is not subject to the US CLOUD Act or equivalent extraterritorial provisions.

Upon contract expiration, the processor returns or deletes processed data within 30 days, at the customer's choice. Pseudonymized technical logs are retained for 12 months for security and diagnostic purposes.

The customer may, under conditions set out in the service contract, request an annual audit or have an audit performed by an independent third party. Certification reports (ISO 27001 planned) are made available as they are obtained.