Logo Deciris
DECIRIS
All legal documentsEffective: 12-02-2026

Data Processing Agreement

Official Deciris legal documents.

Data Processing Agreement (DPA)

Last updated: 12/02/2026

1. Preamble

This Data Processing Agreement (“DPA”) is an integral part of the General Conditions of Use (“CGU”) and, where applicable, of any specific contract signed between the Parties (together, the “Main Contract”) concluded between Deciris (SASU) (“Subcontractor”) and the Client (“Data Controller”).

This Appendix defines the conditions under which Deciris carries out, on behalf of the Client, Processing Operations as part of the provision of the Service. In the event of a contradiction between the provisions of the Main Contract and those of this DPA, the provisions of this DPA will prevail.

By subscribing to or using the Service, the Data Controller accepts this DPA. This DPA applies to the extent that the Processor processes Personal Data on behalf of the Data Controller in the context of providing the Service.

2. Definitions

  • “Data protection impact assessment” or “AIPD”: Means a data protection impact assessment within the meaning of Article 35 of the GDPR.
  • “Control Authority”: Refers to an independent public authority responsible for monitoring the application of the Applicable Regulations, in particular the CNIL in France.
  • “Standard Contractual Clauses” or “CCT / SCC”: Refers to the standard contractual clauses adopted by the European Commission to regulate certain transfers of Personal Data to third countries.
  • “Personal Data”: Refers to any information relating to an identified or identifiable natural person, within the meaning of Article 4(1) of the GDPR.
  • “European Economic Area” or “EEA”: Refers to the member states of the European Union as well as Iceland, Liechtenstein and Norway.
  • “Authorized Users”: Refers to the people authorized by the Customer to access the Service, in particular its employees and service providers.
  • “Personal Data Breach”: Refers to a security breach resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of Personal Data transmitted, stored or otherwise processed, or unauthorized access to such Personal Data, within the meaning of Article 4(12) of the GDPR.
  • “Applicable Regulations”: Refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”), law n°78-17 of January 6, 1978 known as “Informatique et Libertés”, as well as any legal or regulatory provision in force in France relating to the protection of Personal Data.
  • “Processing Operations” or “Processing”: Refers to any operation or set of operations carried out on Personal Data, such as collection, recording, organization, conservation, adaptation, consultation, use or destruction.
  • “Concerned Person”: Refers to an identified or identifiable natural person on whom the Processing Operations carried out within the framework of the Service relate.
  • “Processing Manager”: Refers to the Client, who determines the purposes and means of the Processing.
  • “Subcontractor”: Refers to Deciris, when it processes Personal Data on behalf of the Client.
  • “Subcontractor”: Refers to any other subcontractor engaged by Deciris to carry out specific processing activities on behalf of the Client.
  • “Service”: The software as a service (SaaS) provided by Deciris as defined in the Main Contract.

3. Treatment Details

  • Subject: Provision of the Deciris web application for creating models, carrying out inspections and analyzing the results.
  • Duration:
    • Processing on behalf of the Client: The duration of the Main Contract.
    • After the end of the Main Contract: Subject to Article 4.8, the Subcontractor shall return or delete the Personal Data processed on behalf of the Client within a reasonable period of time, in principle within thirty (30) days, it being specified that:
      • residual copies may remain in backups for a limited period, until overwritten according to the applicable backup cycle; and
      • certain strictly necessary technical and security logs (in particular authentication, administrator access and export logs) may be kept for a limited period, in principle up to three (3) years, unless applicable legal obligation or litigation.
  • Nature and Purposes:
    • Provision of the Service: Storage, retrieval and calculation of data for the creation of models, carrying out inspections and generating reports at the request of the Client.
    • Assistance in the creation/modification of models (IA): At the request of an Authorized User, generation and/or modification of models (checklists, questionnaires, etc.) based on instructions provided by the Authorized User, which may include free text and, where applicable, the content of an uploaded file (e.g. PDF), for the sole purpose of creating/modifying models. The Service is not intended to analyze Participants' responses via this functionality.
    • Contract Management: Administrative, commercial and financial management of the relationship with the Client.
  • Categories of Data Subjects:
    • Authorized Customer Users (employees, contractors).
    • Participants (respondents) invited by the Client to complete questionnaires, including when the Client distributes a link to access the questionnaire to a wider audience (general public).
  • Types of Personal Data:
    • Identification data (Name, email address, IP address, connection credentials).
    • Professional data (job title, organization).
    • Any other personal data included by the Data Controller or Participants in the free text fields of the questionnaires.
    • Any personal data potentially included by an Authorized User in the instructions (free text) and/or in an uploaded file (e.g. PDF) as part of the model creation/modification assistance functionality (IA).

The use of the Service by the Customer for purposes or types of data other than those appearing in this article is strictly prohibited without prior written agreement and a specific contract concluded with Deciris. The Client undertakes in particular to respect the sectoral restrictions defined in the T&Cs (e.g.: specific banking or medical data). Deciris declines all liability in the event of the Client's failure to comply with this prohibition.

4. Obligations of the Subcontractor

4.1. Processing Instructions The Processor will only process Personal Data on documented instructions from the Data Controller (which includes the Main Contract and the use of the features of the Service), unless required to do so by applicable law. In this case, the Processor will inform the Data Controller of this legal obligation before processing, unless prohibited by law. The Processor will inform the Data Controller if, in its opinion, an instruction constitutes a violation of the GDPR.

4.2. Privacy The Processor guarantees that the persons authorized to process the Personal Data have undertaken to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.

4.3. Security Measures (Article 32) The Subcontractor implements appropriate technical and organizational measures to guarantee a level of security appropriate to the risk. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest (encrypted storage volumes).
  • Access controls and authentication for Subcontractor personnel.
  • Regular backups and disaster recovery procedures.
  • Regular testing and evaluation of the effectiveness of security measures.

However, given the very nature of the public network that is the Internet, the Data Controller recognizes and accepts that the absolute security of transmissions via the Internet and the total integrity of Personal Data cannot be guaranteed, despite all the precautions taken.

4.4. Subsequent subcontracting The Data Controller grants general authorization to the Processor to engage subsequent Processors.

  • Current sub-processors:
    • DigitalOcean (hosting/infrastructure, Amsterdam, Netherlands).
    • MongoDB Atlas (database and backups, Paris, France).
    • Agora (video conferencing integrated into the Service: audio/video streams and associated metadata, including IP addresses and technical identifiers; Agora does not permanently store streams and only retains streaming data for caching purposes for transmission).
    • Mailjet (sending emails, processing within the EU only on Google Cloud, Frankfurt (Germany) and Saint-Ghislain (Belgium) regions).
    • Anthropic (AI provider: processing of instructions provided by Authorized Users and, where applicable, the content of an uploaded file (e.g. PDF) for the sole purpose of generating/modifying models; country of processing: United States; transfers supervised by CCT/SCC).
  • Changes: The Processor will inform the Controller of any planned changes regarding the addition or replacement of Subprocessors. The Data Controller has a period of ten (10) days from this information to formulate his objections in writing. The absence of objection within this period constitutes tacit acceptance of the new Subcontractor.
  • Right of termination: In the event of a legitimate objection from the Data Controller not allowing the continuation of the Service, Deciris reserves the right to terminate the Contract by simple written notification, without compensation.
  • Responsibility: The Subcontractor remains fully responsible towards the Data Controller for the performance of the obligations of the Subcontractor.

4.5. Rights of Data Subjects The Client as Data Controller is the main point of contact with Data Subjects for the exercise of their rights. Taking into account the nature of the processing, the Processor will assist the Data Controller, through appropriate technical and organizational measures, as far as possible, to fulfill its obligation to comply with requests to exercise the rights of data subjects (e.g. access, rectification, erasure).

4.6. Compliance Assistance The Processor will assist the Controller in meeting its obligations regarding processing security, data breach notification and data protection impact assessments (DPIAs), taking into account the nature of the processing and the information available to the Processor.

Any request for assistance exceeding the Subcontractor's legal obligations or modifying the initial instructions may be subject to a specific prior estimate. Deciris reserves the right to invoice the Customer for the provision of assistance services for any excessive, repetitive or disproportionate request.

4.7. Data Breaches The Processor will notify the Data Controller without undue delay after becoming aware of a Personal Data Breach affecting the Data Controller's data and, if possible, within seventy-two (72) hours. Unless otherwise instructed by the Data Controller, the Subcontractor sends this notification by email to the contact(s) designated by the Data Controller for contractual and/or security communications.

This notification will contain, if possible:

  • Description of the nature of the Violation;
  • The categories and approximate number of Persons Concerned;
  • The categories and approximate number of Personal Data records concerned.

The Data Controller is responsible for notifying the Violation to the CNIL (or any other competent supervisory authority) as soon as possible and, if possible, no later than 72 hours after becoming aware of it. It is also his responsibility to inform the Data Subjects if the violation is likely to create a high risk for their rights and freedoms.

4.8. Deletion or Restitution of Data At the option of the Data Controller, the Processor will delete or return all Personal Data to the Data Controller after the end of the provision of services.

  • General terms: The data is returned in a standard format (in particular text and/or spreadsheet format, or structured formats such as CSV/JSON, as well as associated media if applicable). Any request for conversion into a complex format may be subject to a prior quote.
  • Scope (exportable data): The Data stored by the Service and exportable on request includes in particular: (a) models/templates; (b) inspections/questionnaires; (c) Participants’ responses; and (d) associated media where applicable. The generated reports are not stored on Deciris servers and are not part of the exportable data.
  • Reversibility procedure (if requested by the Customer):
    • The Customer sends a formal request for reversibility or destruction, by email with acknowledgment of receipt, within twenty (20) days following the date of termination or the end of the Main Contract.
    • The request specifies, for each type of Data, the solution chosen (destruction, transfer, support) within a reversibility plan.
    • After validation of the reversibility plan, Deciris proceeds with restitution/destruction actions according to the agreed plan.
    • The actions are carried out within thirty (30) days after validation of the plan and, in any event, no later than three (3) months after the termination or end of the Main Contract.
    • A processing confirmation is sent by email with acknowledgment of receipt; Any supports are provided on usable digital media.
  • Destruction: Deciris will destroy existing copies, unless applicable law requires the retention of an archive (see Article 3) and subject to the existence of residual copies in backups until they expire.
  • Backups (information): As of the last update date of this DPA, MongoDB Atlas backups are organized according to the following retention scheme: snapshots every 6 hours retained for 7 days; weekly snapshots (every Saturday) kept for 4 weeks; monthly snapshots (last day of the month) kept for 12 months; annual snapshot (December 1) kept for 1 year. Different service levels (e.g. more frequent backups) may be provided for by specific contract.

4.9. Audits The Subcontractor will make available to the Data Controller the information necessary to demonstrate compliance with its obligations and will allow audits to be carried out, within the limit of one (1) audit per contractual year. Any additional audit request beyond this limit may be the subject of a separate written agreement between the Parties, defining the applicable financial terms and conditions.

  • Conditions of the Audit: The audit may be carried out by the Data Controller or an independent auditor, not in competition with Deciris, previously accepted by the latter and subject to a strict obligation of confidentiality.
  • Notice and Procedure: A minimum notice of fifteen (15) working days is required. The audit is carried out during Deciris's opening hours and must not disrupt its activity. It does not include access to trade secrets, R&D or data unrelated to this Agreement.
  • Fees: The Data Controller is responsible for all costs of the audit and reimburses Deciris for the expenses and time spent by its staff in assisting with the audit, at the rate of one hundred (100) euros per hour.

4.10. Data Protection Officer Deciris will communicate to the Data Controller the contact details of its data protection delegate (DPO) if such a delegate has been designated or is required by the Applicable Regulations. Failing this, the Data Controller may contact Deciris at the following address: rgpd@deciris.app.

5. International Transfers

The Processor stores the data primarily within the European Economic Area (EEA).

In the course of providing the Service, certain Subprocessors may process Personal Data outside the EEA (e.g. in the United States). In this case, the Subcontractor ensures that appropriate guarantees are put in place in accordance with the Applicable Regulations:

  • the conclusion of Standard Contractual Clauses (CCT / SCC); and/or
  • the application of an adequacy decision from the European Commission, where applicable.

At the reasonable request of the Data Controller, the Subcontractor will make available useful information relating to the applicable guarantees.

As of the last update date of this DPA, transfers outside the EEA may occur via certain Subprocessors (e.g. Agora and Anthropic) depending on the functionalities used and the configuration. For these transfers, the Subcontractor relies on the CCT / SCC (and, where applicable, on any other applicable guarantee provided for by the Applicable Regulations).

6. Common obligations of the Parties

6.1. Compliance with Applicable Regulations Each Party undertakes, for the Processing Operations for which it is responsible, to:

  • Carry out all required formalities with the competent supervisory authority (CNIL in France);
  • Guarantee that the Personal Data transmitted to the Subcontractor is based on a valid legal basis and that their retention period has not expired at the time of transmission;
  • Implement the required evaluation and monitoring procedures (keeping a register, impact analyses, etc.);
  • Respect the rights of Data Subjects (information, access, rectification, deletion).

Each Party keeps a record of all Processing Operations carried out. This register contains at least the mandatory information required by the Applicable Regulations and is made available to the supervisory authority upon request.

6.2. Confidentiality and Reciprocal Information Each Party considers all Personal Data exchanged under the Contract to be strictly confidential.

Each Party undertakes to inform the other Party as soon as possible of any event likely to constitute a security breach, a breach of Applicable Regulations or a risk for the Persons Concerned.

6.3. Regulatory Collaboration In the event of a modification of the Applicable Regulations, the Parties undertake to collaborate to agree on any necessary updates to this DPA in order to ensure its permanent compliance.

7. Recipients of Personal Data

As part of the execution of the Service, Deciris may communicate Personal Data with:

  • Internal Personnel: Personnel in charge of technical, administrative and support services, for the sole purposes of providing the Service.
  • Control Services: Auditors or services responsible for internal control procedures.
  • Public Authorities: Ministerial officers, administrations or auxiliaries of justice, only within the framework of their legal missions or upon judicial requisition.
  • Transformation of the Company: In the event of a transfer transaction (merger, acquisition, partial contribution of assets), the data may be transmitted to potential buyers or successors subject to appropriate confidentiality commitments.
  • Sub-contractors: As listed in Article 4.4.

8. Responsibility

8.1. Responsibility of Deciris Deciris' liability for Processing Operations carried out on behalf of the Client can only be incurred if it has not complied with the specific obligations of subcontractors provided for by the Applicable Regulations or if it has acted outside or contrary to the Client's lawful instructions. Deciris is exempt from liability if it proves that the fact causing the damage is not attributable to it.

In any event, the overall liability of Deciris under this DPA is limited in accordance with the provisions of the Main Contract.

8.2. Compensation by the Customer The Client undertakes to fully compensate Deciris for all sums (including procedural costs and attorney's fees) that Deciris may be required to pay in the event of a conviction or administrative sanction resulting from:

  • A breach of the Applicable Regulations due to use of the Service by the Customer that does not comply with the Contract;
  • The continuation of processing in accordance with the Client's instructions despite an alert from Deciris about their potentially non-compliant nature;
  • Any damage resulting from the communication by the Client of data collected illicitly or without prior information/consent of the Data Subjects.

9. Personalization for Business

For Customers on standard plans, this DPA applies automatically. For Enterprise Customers requiring specific waivers or customized security annexes, a separate written agreement or amendment may be negotiated and signed, which will replace this standard DPA upon valid execution.