DATA PROCESSING AGREEMENT
BETWEEN THE UNDERSIGNED:
The Data Controller:
The Client, whose details are provided at the time of subscription to DEALCOCKPIT™ VDR Services (hereinafter "the Client" or "the Controller").
The Data Processor:
DEALCOCKPIT™ SAS, with registered office at 5 Grand Rue, 24230 VELINES, France (hereinafter "DEALCOCKPIT™" or "the Processor").
This Data Processing Agreement (hereinafter "DPA") is entered into pursuant to Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter "GDPR") and forms an integral part of the DEALCOCKPIT™ Terms and Conditions (T&C) accepted by the Client upon online subscription. In the event of conflict between this DPA and the T&C, the provisions of this DPA shall prevail with respect to the processing of personal data.
1. DEFINITIONS
For the purposes of this DPA, the following terms shall have the meanings set out below:
Personal Data: any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the GDPR.
Client Data: all Personal Data that the Client uploads, imports, stores or shares through DEALCOCKPIT™ VDR Services (including due diligence documents, stakeholder lists, financial and legal information).
Processing: any operation or set of operations performed on Personal Data (collection, storage, access, transmission, deletion, etc.), as defined under Article 4(2) of the GDPR.
Controller: the natural or legal person who determines the purposes and means of Processing. Under this DPA, the Client is the Controller of Client Data.
Processor: the natural or legal person who processes Personal Data on behalf of the Controller. Under this DPA, DEALCOCKPIT™ is the Processor.
Sub-processor: any third party engaged by DEALCOCKPIT™ to carry out all or part of the Services involving the Processing of Client Data.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, as defined under Article 4(12) of the GDPR.
VDR Services: the Virtual Data Room services provided by DEALCOCKPIT™ to the Client pursuant to the T&C.
2. ROLES AND RESPONSIBILITIES
2.1 Role Qualification
The parties acknowledge and expressly agree that:
The Client is the Controller of all Client Data uploaded to the VDR Services. As such, the Client freely determines the purposes, categories of data processed, and individuals authorised to access such data.
DEALCOCKPIT™ is the Processor and processes Client Data solely on the documented instructions of the Controller, strictly to the extent necessary to provide the VDR Services.
DEALCOCKPIT™ acts as Controller for its own operational data (client accounts, billing, support, security), which is governed by its Privacy Policy.
2.2 Client Instructions
DEALCOCKPIT™ processes Client Data solely in accordance with the Client’s documented instructions, including those arising from use of the VDR Services. If any instruction appears to infringe the GDPR or other applicable law, DEALCOCKPIT™ shall immediately notify the Client in writing before executing such instruction.
3. DESCRIPTION OF PROCESSING
The table below describes the processing activities carried out by DEALCOCKPIT™ as Processor:
|
Subject matter |
Categories of data |
Categories of data subjects |
Purpose |
|
Document hosting and storage |
Documents uploaded by the Client (may contain personal data of any nature depending on content) |
Any natural person referenced in the Client’s documents |
Provision of secure document storage and exchange service |
|
User access management |
Username, email address, role, connection logs |
Users authorised by the Client |
Access control and data room security |
|
Activity logging and audit trail |
Activity logs (access, downloads, modifications) |
Users authorised by the Client |
Traceability and operational security |
|
Technical support |
Data necessary to resolve incidents |
Client users who have submitted a support request |
Incident resolution and technical assistance |
The duration of Processing corresponds to the term of the VDR Services, extended by the transition period of thirty (30) days provided for under Article 10 of this DPA.
4. OBLIGATIONS OF DEALCOCKPIT™ AS PROCESSOR
4.1 General Obligations
DEALCOCKPIT™ undertakes to:
Process Client Data solely for the purposes described in Article 3 and in accordance with the Client’s documented instructions.
Ensure that persons authorised to process Client Data are subject to appropriate confidentiality obligations.
Not disclose Client Data to third parties, except to authorised Sub-processors in accordance with Article 5 of this DPA, or where required by law.
Immediately notify the Client if it considers that any instruction infringes the GDPR or any other applicable law, before executing such instruction.
Assist the Client, to the extent reasonably possible and taking into account the nature of the Processing, in fulfilling its obligation to respond to requests from data subjects exercising their rights.
Assist the Client in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation.
4.2 Security Measures
DEALCOCKPIT™ implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Encryption of data in transit (TLS) and at rest (AES-256 or equivalent).
Strict access controls, with strong authentication for internal users.
Logging and monitoring of data access.
Regular security testing and vulnerability management.
Business continuity and disaster recovery plans.
5. SUB-PROCESSORS
5.1 General Authorisation
The Client authorises DEALCOCKPIT™ to engage Sub-processors for the provision of the VDR Services, provided that DEALCOCKPIT™:
Enters into a contract with each Sub-processor imposing data protection obligations equivalent to those set out in this DPA.
Remains fully liable to the Client for the performance by its Sub-processors of their obligations.
5.2 List of Authorised Sub-processors
The currently authorised Sub-processors are as follows:
|
Sub-processor |
Purpose |
Location |
Safeguards |
|
Amazon Web Services EMEA SARL (AWS) |
Infrastructure hosting, storage and data processing (regions EU-WEST-1 Dublin, Ireland and EU-WEST-3 Paris, France) |
European Union (Ireland — France) |
ISO 27001, SOC 1/2/3 certified, GDPR compliant. AWS Data Processing Agreement in force. |
|
Brevo (formerly Sendinblue) |
Transactional and marketing email |
European Union |
GDPR compliant. EU hosting. |
|
HubSpot Ireland Limited |
CRM, client tracking and marketing |
European Union (Ireland) |
GDPR compliant. EU hosting. HubSpot DPA in force. |
|
Artificial Intelligence — No third-party provider |
DEALCOCKPIT™ does not engage any third-party AI provider to analyse, index or process the content of Client Data. No document uploaded to the data room is transmitted to any external AI model. DEALCOCKPIT™ commits to never using Client Data to train, fine-tune or improve any AI model, whether internally or via a third party, without the Client’s prior written consent. |
N/A (no current processing) |
Firm contractual commitment. No AI training guaranteed. |
5.3 Changes to the List
DEALCOCKPIT™ shall notify the Client of any addition or replacement of a Sub-processor with a minimum prior notice of thirty (30) days. The Client has the right to raise a reasoned objection. In the event of an unresolved legitimate objection, the Client may terminate the contract in accordance with the T&C.
6. AI COMMITMENTS
6.1 No Current AI Processing
DEALCOCKPIT™ declares that, as of the effective date of this DPA, no third-party AI system is used to analyse, index, summarise, or otherwise process the content of Client Data stored in the VDR Services.
6.2 Prohibition on Training AI with Client Data
DEALCOCKPIT™ irrevocably undertakes never to use Client Data, directly or indirectly, to:
Train, fine-tune, or improve any artificial intelligence model, whether developed internally or provided by a third party.
Build training, validation, or evaluation datasets for AI systems.
Feed machine learning systems or any algorithmic processing aimed at improving predictive models beyond the strict provision of the VDR Services.
This commitment applies regardless of whether Client Data is anonymised, pseudonymised, or aggregated, as long as it is derivable from documents uploaded by the Client.
7. TRANSFERS OUTSIDE THE EUROPEAN UNION
DEALCOCKPIT™ commits to ensuring that Client Data is hosted and processed exclusively within the European Union. Any transfer of Client Data to a third country would be subject to the prior conclusion of Standard Contractual Clauses (SCCs) approved by the European Commission, or any other appropriate safeguard provided for under the GDPR. The Client would be informed in advance of any such transfer.
8. PERSONAL DATA BREACH
8.1 Notification
Upon discovering a Personal Data Breach affecting Client Data, DEALCOCKPIT™ shall notify the Client without undue delay and, where feasible, within a maximum of forty-eight (48) hours of becoming aware of it.
The notification shall include, to the extent the information is available:
The nature of the Personal Data Breach, the approximate categories and number of data subjects concerned, and the records affected.
The contact details of a point of contact at DEALCOCKPIT™.
The likely consequences of the breach and the measures taken or proposed to address it.
8.2 Responsibility for Notifying the Supervisory Authority
It is the Client’s responsibility, as Controller, to notify the relevant supervisory authority (in particular the CNIL) within the 72-hour deadline set out in Article 33 of the GDPR. DEALCOCKPIT™ shall assist the Client in this process by providing all necessary information.
9. DATA SUBJECT RIGHTS
Where DEALCOCKPIT™ directly receives a request to exercise rights (right of access, rectification, erasure, portability, objection) relating to Client Data, DEALCOCKPIT™ shall notify the Client without delay and shall not respond to the request itself (unless expressly instructed by the Client), as the Client is the sole Controller entitled to respond.
DEALCOCKPIT™ undertakes to provide the Client with the technical assistance necessary to enable it to respond to such requests within the deadlines imposed by the GDPR (normally one month).
10. DATA RETENTION — DOSSIER CLOSURE AND END OF CONTRACT
10.1 Deletion of Data upon Dossier Closure
Client Data (documents, files and content uploaded to the data room) is automatically and irreversibly deleted upon closure of the dossier by the Client, including from backup media within a reasonable timeframe. The Client is informed that this deletion is permanent and that no restoration will be possible after closure. It is the Client’s responsibility to download and archive any documents it wishes to retain before closing the dossier.
10.2 Retention of Logs
By way of exception to Article 10.1, DEALCOCKPIT™ retains activity logs generated during use of the VDR Services (access traces, downloads, modifications, connections) for a period of twelve (12) months after dossier closure, for the following purposes:
Security and incident detection.
Compliance with applicable legal and regulatory obligations.
Defence of DEALCOCKPIT™’s legitimate interests in the event of a dispute.
These logs may contain indirect references to Personal Data (user identifiers, IP addresses). They are retained securely, isolated from any active processing, and accessible only to authorised DEALCOCKPIT™ personnel for security or compliance purposes.
10.3 End of Contract
Upon termination or expiry of the contract, any dossiers still open at that date are automatically closed and the corresponding Client Data deleted in accordance with Article 10.1. DEALCOCKPIT™ shall provide the Client, upon written request to support@dealcockpit.io, with a certificate of deletion of Client Data.
11. AUDIT AND MONITORING
The Client has the right to verify DEALCOCKPIT™’s compliance with its obligations under this DPA, subject to the following conditions:
DEALCOCKPIT™ shall make available to the Client all information necessary to demonstrate compliance with its obligations as Processor.
The Client may request an audit, at its own expense, conducted by an independent third party subject to a confidentiality obligation, with at least thirty (30) business days’ prior written notice. DEALCOCKPIT™ may refuse an auditor with a conflict of interest.
DEALCOCKPIT™ may satisfy the audit obligation by providing the certifications and audit reports of its relevant Sub-processors (in particular AWS), or by engaging an independent third-party auditor.
12. FINAL PROVISIONS
12.1 Term
This DPA enters into force on the date the Client accepts the T&C and remains in force for the entire duration of the services contract, and thereafter until the complete deletion of Client Data in accordance with Article 10.
12.2 Governing Law
This DPA is governed by French law and the GDPR. Any dispute relating to its interpretation or performance shall be subject to the exclusive jurisdiction of the courts of Paris, France.
12.3 Order of Precedence
In the event of conflict between this DPA and the DEALCOCKPIT™ T&C, the provisions of this DPA shall prevail for all matters relating to the processing of personal data.
12.4 Contact
For any questions relating to this DPA or the exercise of rights over Personal Data: support@dealcockpit.io