⚠ Draft — to be reviewed by counsel before publication

GDPR data-processing agreement (DPA)

This agreement governs the processing of personal data between CyberTool (processor) and each customer (data controller). It applies automatically to any agency customer hosting on the platform the data of its own SMB clients.

Last updated: 2026-04-28

1. Parties

  • Processor: CyberTool SAS, whose details are set out in the Terms of service.
  • Data controller: the holder of the CyberTool account, identified by the signup email and the trade name entered in the profile.

2. Purpose

The purpose of this agreement is to define the conditions under which the processor processes, on behalf of the data controller, the personal data necessary for delivering the cybersecurity monitoring service.

3. Description of the processing

  • Nature and purpose: storage, scanning, analysis, alerting and cybersecurity reporting on the websites declared by the data controller.
  • Categories of data: identity (email, contact names) and technical data (logs, findings, scores) relating to the declared infrastructure.
  • Categories of data subjects: employees of the data controller and, where applicable, contacts of SMB clients for agencies operating in multi-tenant mode.
  • Duration: duration of the main contract (CyberTool subscription).
  • Territory: European Union (Supabase Ireland), with occasional recourse to onward subprocessors outside the EU (Vercel, Cloudflare, Anthropic — see list § 6) covered by the European Commission's Standard Contractual Clauses.

4. Processor's obligations

  • Process the data solely on the documented instructions of the data controller (service description + settings configured through the interface).
  • Ensure the confidentiality of the data: persons authorised to access it are bound by contract or professional status.
  • Implement and maintain the technical and organisational measures described in § 8.
  • Notify the data controller within 48 hours of any data breach concerning its information, in accordance with article 33 GDPR.
  • Assist the data controller in fulfilling its obligations (responding to data-subject rights requests, impact assessments, prior consultations).
  • At the data controller's choice, delete or return the data at the end of the engagement, and destroy any existing copies.

5. Onward subprocessing

The data controller authorises the processor to use the following onward subprocessors, which provide sufficient security guarantees (signed DPAs, certifications where applicable):

  • Supabase (Ireland) — database and authentication.
  • Vercel (United States) — web application hosting. Transfer governed by the Standard Contractual Clauses (SCCs).
  • Cloudflare (United States) — scan workers, anti-DDoS. Transfer governed by the SCCs.
  • Stripe Payments Europe Ltd. (Ireland) — payments.
  • Resend Inc. (United States) — transactional email delivery. Transfer governed by the SCCs.
  • Anthropic PBC (United States) — Claude model. Processed content is not reused for training (Zero Data Retention enabled).

Any change to this list is notified to the data controller with 30 days' notice, opening a right of reasoned objection that may go as far as termination without penalty.

6. Right of audit

The data controller has an annual right of audit, at its choice: (a) on the basis of compliance reports provided by the processor (security policy, technical measures, access logs); (b) via an on-site audit conducted at its expense after 30 days' notice, under conditions that do not impair the service.

7. End of contract

At the end of the main contract, the data controller may request the return of its data in a structured format (JSON) or its erasure. Failing instructions to the contrary within 30 days following termination, the processor proceeds with permanent deletion (subject to legal retention obligations).

8. Technical and organisational measures

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Mandatory multi-factor authentication for administrators.
  • Strict multi-tenant isolation via Row-Level Security (PostgreSQL) — each customer only sees its own data.
  • Separation of environments (production / staging / dev) with distinct datasets.
  • Daily encrypted backups, RPO ≤ 24 h, RTO ≤ 4 h.
  • Access logs traced and retained for 30 days, alerts on anomalous events.
  • Responsible disclosure policy: /.well-known/security.txt.
  • Annual review of the security policy and supplier access.

9. Liability

Each party remains liable for direct damages caused by its breach of this agreement or of GDPR. The processor's liability is capped in accordance with the limits set out in the Terms of use.

10. Acceptance

This DPA is deemed accepted by the data controller upon creation of the CyberTool account. A signed version may be provided on request to legal@cybertool.fr (useful for agencies subject to formal client audits).

Back to the homepage.