Legal
Data Processing Agreement (DPA)
Last updated: 2026-04-21
This Data Processing Agreement (the "DPA") forms an integral part of the Terms of Sale entered into between the Customer (the "Controller") and SBCQ SAS (the "Processor"). It sets out the terms of the processing of personal data carried out by the Processor on behalf of the Controller, in accordance with article 28 of the GDPR.
01Definitions
"Personal data", "processing", "controller", "processor", "data subject" and "personal data breach" have the meaning given in the GDPR. Capitalised terms not defined here refer to the definitions of the Terms of Sale.
02Purpose and allocation of roles
This DPA governs the processing carried out by the Processor on behalf of the Controller as part of the provision of the Ma Belle Note Service.
The parties agree on the following allocation:
- The Customer is the Controller of the data relating to customer reviews aggregated through the Service, to messages issued through its private forms, and to any end-customer data injected into the Service.
- The Processor is a Processor within the meaning of article 28 GDPR for all such data.
- The Processor remains an independent Controller for data related to the Customer's account management, billing, security and Service performance (see Privacy Policy).
03Description of the processing (Schedule 1)
| Element | Description |
|---|---|
| Nature of the processing | Aggregation, storage, display, analysis, reply and visual generation based on customer reviews and private messages. |
| Purposes | Centralise reviews, assist reply drafting, measure local visibility performance, collect new reviews, produce marketing content. |
| Categories of data subjects | Authors of public reviews, authors of private messages, end customers participating in collection mechanics (QR, loyalty wheel). |
| Categories of data | Author name, pseudonym, profile picture (as public on the source platform), review text, rating, date, email address (private forms, wheel), phone number (optional), AI-categorised theme. |
| Special categories | The Service is not designed to process special categories of data within the meaning of article 9 GDPR. The Customer undertakes not to intentionally inject such data into the Service. |
| Duration | For the duration of the subscription, plus a 30-day window after termination to allow data export. |
04Processor obligations
The Processor undertakes to:
- process the data only on documented instructions from the Controller, such instructions being deemed given by the Account configuration and by the use of the Service in accordance with the Terms of Sale;
- ensure the confidentiality of the data and that persons authorised to process it are bound by an appropriate duty of confidentiality;
- implement the technical and organisational security measures set out in Schedule 2;
- engage sub-processors only with the Controller's general written authorisation, under the conditions described below;
- assist the Controller in responding to data subjects' rights requests;
- assist the Controller in carrying out Data Protection Impact Assessments (DPIAs) and prior consultations with a supervisory authority, where the provision of the Service so requires;
- on termination of the processing, at the Controller's choice, delete or return the data, subject to any legal retention obligation;
- make available all information necessary to demonstrate compliance with the obligations of this DPA and allow for audits.
05Security measures (Schedule 2)
The Processor implements the following measures, periodically reviewed:
- Encryption: TLS 1.2+ in transit, AES-256 at rest on databases and backups, password hashing (bcrypt/Argon2).
- Access control: strong authentication of team members, least-privilege principle, quarterly access reviews, logging of access to customer data.
- Segregation: logical isolation between environments (development, staging, production); per-tenant isolation of customer data.
- Backups: encrypted daily backups, retained for 30 days, periodically tested through restore exercises.
- Monitoring and detection: 24/7 monitoring of critical components, automated anomaly alerts, security logs retained for 12 months.
- Business continuity and disaster recovery: target RPO ≤ 24 hours, target RTO ≤ 4 hours for critical components.
- Secure development: mandatory code review, static and dynamic analysis, dependency management, annual penetration tests.
- Awareness: annual training of staff on data protection and information security.
06Sub-processors (Schedule 3)
The Controller authorises, by this DPA, the use of the sub-processors listed below, each governed by a contract imposing equivalent protection obligations.
| Sub-processor | Role | Location |
|---|---|---|
| Convex, Inc. | Database engine and serverless backend execution (option: self-hosted on European infrastructure controlled by the Processor) | USA — or EU if self-hosted |
| Cloudflare, Inc. | CDN, DDoS protection, hosting of the public website | USA (EU) |
| Resend Inc. | Transactional email delivery (confirmations, alerts, invoices) | USA (EU) |
| Stripe Payments Europe, Ltd. | Card and SEPA payment processing | EU |
| Anthropic, PBC | AI model provider (Claude) for reply and analysis generation | USA |
| OpenAI, L.L.C. | AI model provider (GPT) for reply and analysis generation (alternative to Anthropic) | USA |
| Google LLC | Official APIs (Google Business Profile) to collect and publish reviews, with the Customer's OAuth consent | USA (EU) |
| VPS hosting provider (self-hosted Convex infrastructure) | Hostinger International Ltd., 61 Lordou Vironos Street, 6023 Larnaca, Chypre | EU |
The Processor notifies the Controller of any addition or replacement of a sub-processor at least 30 days before it takes effect. Within this period, the Controller may object to the change on legitimate and documented grounds. In case of objection, the parties seek a solution in good faith. Failing agreement within 15 days, the Controller may terminate the Service without penalty.
07International transfers
Some sub-processors are established outside the European Union. The resulting transfers are framed by:
- an adequacy decision of the European Commission where applicable (e.g. EU-US Data Privacy Framework for certified organisations);
- failing that, the European Commission's Standard Contractual Clauses (decision 2021/914) in the appropriate module (controller-to-processor or processor-to-processor), signed with each sub-processor concerned;
- additional technical and organisational measures (encryption, minimisation, pseudonymisation where possible);
- a documented Transfer Impact Assessment (TIA) for every sub-processor not covered by an adequacy decision.
TIAs and SCCs are made available to the Controller on a reasoned request.
08Personal data breach notification
In the event of a personal data breach within the scope of this DPA, the Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of it. The notification shall set out the nature of the breach, the categories of data and data subjects affected, the likely consequences and the measures taken or envisaged.
The Processor assists the Controller in any required notifications to the supervisory authority and to data subjects.
09Data subjects' rights
The Processor makes available to the Controller, within the Service, tools to respond to access, rectification, erasure, restriction, portability and objection requests from data subjects (e.g. JSON/CSV export, targeted deletion of a review author, content masking).
If a data subject contacts the Processor directly, the Processor redirects the request to the Controller within 7 business days and provides the information necessary for the Controller to handle the request.
10Audit
The Controller may, no more than once a year and subject to reasonable prior notice (15 days), request a desk audit of the Processor's compliance with this DPA. An on-site audit may be organised in case of a major incident or a specific legal requirement, at the Controller's expense and subject to signature of a non-disclosure agreement.
Otherwise, the Processor makes available the attestations of its relevant external audits (penetration test reports, in-progress certifications, sub-processor due-diligence).
11End of processing — return and deletion
At the end of the Service, for any reason, the Processor makes available to the Controller a structured export of its data for 30 days. After this period, data is deleted from production systems within a maximum of 30 additional days, and from backups within the natural rotation cycle (up to 30 more days).
Legal retention obligations (accounting, fraud, ongoing subpoenas) prevail over deletion.
12Liability and term
Each party's liability under this DPA is governed by the limitations set out in the Terms of Sale. This DPA comes into effect on the subscription date and remains applicable for the duration of the processing, including after the end of the Service for obligations that survive (confidentiality, deletion, notification of a breach detected afterwards).
For any question regarding this DPA, contact [email protected].