Accord de traitement des données (DPA)
Ce document est disponible uniquement en anglais. / This document is only available in English.
Last updated: February 3, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:
- Ventanova SASU ("Processor", "we", "us"), a French company registered under SIRET 929 883 692, with registered office at 58 Rue de Monceau, 75008 Paris, France
and
- The Customer ("Controller", "you"), as identified in your Ventanova account
This DPA sets out the terms under which Ventanova processes Personal Data on behalf of the Customer, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on Personal Data (collection, storage, use, disclosure, deletion) |
| Data Subject | The individual whose Personal Data is processed |
| Controller | The entity that determines the purposes and means of Processing |
| Processor | The entity that processes Personal Data on behalf of the Controller |
| Sub-processor | A third party engaged by the Processor to process Personal Data |
| Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data |
2. Scope and Duration
2.1 Scope
This DPA applies to all Processing of Personal Data by Ventanova on behalf of the Customer in connection with the Services.
2.2 Duration
This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination of the Agreement, subject to Section 12 (Data Return and Deletion).
2.3 Roles
- Customer acts as the Controller for Personal Data uploaded to or generated through the Services
- Ventanova acts as the Processor for such Personal Data
3. Processing Instructions
3.1 Documented Instructions
Ventanova shall process Personal Data only on documented instructions from the Customer, including:
- The Agreement and this DPA
- Customer's configuration of the Services
- Written instructions provided via support channels
3.2 Compliance with Law
If Ventanova is required by applicable law to process Personal Data other than as instructed by the Customer, Ventanova shall notify the Customer of such legal requirement before processing (unless prohibited by law).
3.3 Notification of Unlawful Instructions
If Ventanova believes that an instruction from the Customer infringes GDPR or other applicable data protection laws, Ventanova shall promptly notify the Customer.
4. Confidentiality
4.1 Personnel Obligations
Ventanova ensures that all personnel authorized to process Personal Data:
- Are bound by confidentiality obligations
- Have received appropriate training on data protection
- Process Personal Data only as instructed
4.2 Access Limitation
Access to Personal Data is limited to personnel who require such access to perform the Services.
5. Security Measures
5.1 Technical and Organizational Measures
Ventanova implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex B.
5.2 Security Standards
These measures include:
- Encryption of Personal Data in transit (TLS 1.3+) and at rest (AES-256)
- Multi-factor authentication (MFA) for system access
- Role-based access control (RBAC)
- Regular security testing and vulnerability assessments
- Intrusion detection and monitoring systems
- Encrypted daily backups with geographic redundancy
5.3 Certifications
Ventanova's infrastructure provider (OVH) maintains ISO 27001 and SOC 2 Type II certifications.
6. Sub-processors
6.1 Authorized Sub-processors
The Customer provides general authorization for Ventanova to engage Sub-processors listed in Annex C.
6.2 Sub-processor Requirements
Ventanova ensures that each Sub-processor:
- Is bound by data protection obligations no less protective than this DPA
- Provides sufficient guarantees to implement appropriate technical and organizational measures
6.3 Notification of Changes
Ventanova shall notify the Customer at least 30 days before engaging any new Sub-processor, providing:
- The Sub-processor's name and location
- The processing activities to be performed
- The data protection measures in place
6.4 Objection Right
The Customer may object to a new Sub-processor within 14 days of notification by providing reasonable grounds. If the parties cannot resolve the objection, the Customer may terminate the affected Services without penalty.
6.5 Liability
Ventanova remains fully liable for the acts and omissions of its Sub-processors.
7. Data Subject Rights
7.1 Assistance
Ventanova shall assist the Customer in responding to requests from Data Subjects exercising their rights under GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
7.2 Response Time
Ventanova shall respond to Customer requests for assistance within 5 business days.
7.3 Direct Requests
If a Data Subject contacts Ventanova directly, Ventanova shall promptly redirect them to the Customer, unless legally required to respond directly.
8. Data Breach Notification
8.1 Notification to Customer
Ventanova shall notify the Customer of any Data Breach without undue delay, and in any event within 48 hours of becoming aware of the breach.
8.2 Notification Content
The notification shall include:
- A description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach
8.3 Cooperation
Ventanova shall cooperate with the Customer and provide reasonable assistance in:
- Investigating the breach
- Meeting notification obligations to supervisory authorities
- Communicating with affected Data Subjects
9. Data Protection Impact Assessments
Upon Customer's request, Ventanova shall provide reasonable assistance with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, to the extent required under GDPR Articles 35 and 36.
10. Audit Rights
10.1 Information Access
Ventanova shall make available to the Customer all information necessary to demonstrate compliance with this DPA.
10.2 Audit Procedure
The Customer may conduct an audit of Ventanova's compliance with this DPA:
- Frequency: Once per calendar year, or following a Data Breach
- Notice: At least 30 days' written notice
- Scope: Limited to matters relevant to this DPA
- Confidentiality: Auditor must sign a confidentiality agreement
10.3 Alternative Evidence
At Ventanova's option, compliance may be demonstrated through:
- Third-party audit reports (SOC 2, ISO 27001) less than 12 months old
- Completion of a security questionnaire
- Documentation of security measures
10.4 Costs
Each party bears its own costs for audits, unless the audit reveals material non-compliance by Ventanova.
11. International Transfers
11.1 Data Location
Personal Data is primarily stored and processed in France (OVH datacenter, Gravelines).
11.2 Transfers Outside EEA
When Personal Data is transferred outside the European Economic Area, Ventanova ensures appropriate safeguards are in place:
| Recipient | Country | Safeguard |
|---|---|---|
| Stripe | USA | Standard Contractual Clauses (SCC) + Data Privacy Framework |
11.3 Standard Contractual Clauses
Where required, the EU Standard Contractual Clauses (Commission Decision 2021/914) are incorporated by reference into this DPA.
12. Data Return and Deletion
12.1 Upon Termination
Upon termination of the Agreement:
- Customer may export Personal Data for 30 days
- After 30 days, Personal Data becomes inaccessible
- After 90 days, Personal Data is permanently deleted
12.2 Deletion Confirmation
Upon Customer's written request, Ventanova shall provide written confirmation of deletion.
12.3 Retention Exceptions
Ventanova may retain Personal Data to the extent required by applicable law, provided such data remains protected under this DPA.
13. Liability
13.1 Allocation
Each party's liability under this DPA is subject to the limitations set forth in the Agreement.
13.2 Indemnification
Ventanova shall indemnify the Customer against any fines, penalties, or damages arising from Ventanova's breach of this DPA or GDPR, except to the extent caused by the Customer's instructions or actions.
14. General Provisions
14.1 Governing Law
This DPA is governed by French law.
14.2 Jurisdiction
Disputes shall be submitted to the exclusive jurisdiction of the courts of Paris, France.
14.3 Conflict
In case of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
14.4 Severability
If any provision of this DPA is found invalid, the remaining provisions shall remain in effect.
14.5 Amendments
This DPA may only be amended in writing, signed by both parties.
15. Contact
Data Protection Officer Email: privacy@ventanova.ai
Postal Address Ventanova - DPO 58 Rue de Monceau 75008 Paris, France
Annex A: Description of Processing
A.1 Subject Matter
Processing of Personal Data in connection with the Ventanova B2B email prospecting platform.
A.2 Duration
For the term of the Agreement plus the data retention period specified in Section 12.
A.3 Nature and Purpose
| Purpose | Description |
|---|---|
| Service Provision | Identifying and contacting B2B prospects on behalf of the Customer |
| Email Delivery | Sending personalized prospecting emails |
| Analytics | Tracking email opens, clicks, and website visits |
| Account Management | Managing Customer accounts, billing, and support |
A.4 Categories of Data Subjects
- Customer's employees and authorized users
- B2B professional contacts (prospects)
A.5 Types of Personal Data
| Category | Data Types |
|---|---|
| Contact Data | Name, professional email address, job title, company name |
| Company Data | Company address, industry, size, website |
| Usage Data | Login times, feature usage, IP addresses (anonymized) |
| Communication Data | Email content, campaign analytics |
A.6 Special Categories
None. Ventanova does not process special categories of Personal Data (health, biometric, genetic, political opinions, religious beliefs, sexual orientation).
Annex B: Technical and Organizational Measures
B.1 Governance
- Information security policies and procedures
- Designated Data Protection Officer (DPO)
- Regular policy reviews and updates
- Change management processes
B.2 Access Control
- Role-based access control (RBAC)
- Multi-factor authentication (MFA) required
- Least privilege principle
- Unique user accounts (no shared credentials)
- Access reviews quarterly
B.3 Physical Security
- OVH datacenter (Gravelines, France)
- ISO 27001 certified facility
- 24/7 security personnel
- Biometric access controls
- Video surveillance
B.4 Encryption
- In transit: TLS 1.3+ for all connections
- At rest: AES-256 encryption for all stored data
- Backups: Encrypted with separate keys
B.5 Network Security
- Firewalls and network segmentation
- Intrusion detection systems (IDS)
- DDoS protection
- Regular vulnerability scanning
B.6 Audit Logging
- All system access logged
- All data modifications logged
- Logs retained for 90+ days
- Tamper-evident logging
B.7 Incident Response
- 24/7 monitoring
- Documented incident response procedure
- Breach notification within 48 hours
- Post-incident review process
B.8 Business Continuity
- Daily encrypted backups
- Geographic redundancy (France)
- Recovery Point Objective (RPO): 24 hours
- Recovery Time Objective (RTO): 4 hours
- Annual disaster recovery testing
B.9 Personnel Security
- Background checks for employees
- Confidentiality agreements (NDA)
- Security awareness training
- Offboarding procedures
B.10 Data Segregation
- Logical separation by customer (row-level security)
- Tenant isolation in database
- Separate encryption keys per customer (roadmap)
B.11 Vulnerability Management
- Monthly vulnerability scans
- Critical patches within 48 hours
- High-severity patches within 7 days
- Annual penetration testing
B.12 Supplier Management
- Sub-processor due diligence
- DPA requirements for all Sub-processors
- Annual Sub-processor reviews
Annex C: Authorized Sub-processors
| Sub-processor | Location | Service | Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| OVH SAS | Gravelines, France | Infrastructure hosting | All Customer Data | N/A (EU) |
| Stripe, Inc. | USA | Payment processing | Billing data only | SCC + DPF |
| O2Switch | Clermont-Ferrand, France | Transactional emails | Email addresses | N/A (EU) |
Analytics: Matomo is self-hosted on OVH infrastructure in France. No third-party analytics provider is used.
Effective Date: Upon Customer's acceptance of the Terms of Service
© 2026 Ventanova SASU - All rights reserved