Login
Get started

Last update on

Data Processing Agreement

1. Introduction

The Data Processing Agreement (hereinafter referred to as the “Agreement“) is intended to govern the processing of Personal Data on behalf of Users (as defined in the Terms) of The Phantom Company (hereinafter referred to as the “Processor” or “The Phantom Company“) when they use the Services (as defined in the Terms).

 

2. Definitions

The terms “adequacy decision”, “technical and organizational measures”, “data subjects”, “data protection by design”, “data protection by default”, “register”, “joint controller(s)”, “controller”, “processor”, “processing,” “personal data breach” in the Agreement have the meanings described in Articles 4 et seq. of the GDPR.

 

Other terms are defined below:

 

  • Agreement” means the appendix to the Contract governing the processing of Personal Data on behalf of the User in accordance with the provisions of Article 28 of the GDPR.

 

  • DPIA” means an impact assessment that verifies the proportionality of Personal Data processing and prevents risks related to Personal Data processing.

 

  • Anonymization“: means processing aimed at making it impossible to identify the persons concerned by the processing carried out in connection with the Services, in an irreversible manner.

 

  • Supervisory Authority” means the supervisory authority responsible for GDPR compliance for the Services provided by the Processor.

 

  • Contract” or “Terms”: refers to the contract concluded between the Processor and the User for the use of the Services, to which this Agreement is attached.

 

  • Right(s) request(s)“: refers to the fundamental rights created by the GDPR in Articles 15 et seq. (e.g., right of access, right to erasure, etc.).

 

  • User Personal Data” means any data relating to an identified or identifiable natural person transmitted to the Processor and processed by the Processor on behalf of the User in connection with the Services, a detailed list of which is provided in the appendix. 

 

  • Party(ies)” means jointly the User and the Processor.

 

  • GDPR“: refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the “General Data Protection Regulation.”

 

  • Applicable regulations on the protection of personal data” means French Law No. 78-17 of January 6, 1978 on information technology, files and civil liberties, and the GDPR.

 

  • Reversibility“: refers to the operation of enabling the transfer and integration, in a usable and recognized format, of the Personal Data of the User of the Services of the Processor to an equivalent service offered by another service provider.

 

  • SaaS Service“: refers to a software solution accessible remotely via the Internet, operated by the Processor and which can be used simultaneously by several Users.

 

  • Sub-processoror “Subprocessors”: refers to sub-processors recruited by the Processor to process Users’ Personal Data exclusively within the scope of the Services.

 

  • Data Subjects“: refers to individuals whose Personal Data is processed by the Processor on behalf of the User.

3. Contractual relations and duration

The Agreement is an integral part of the Terms governing the relationship between the User and the Processor for the use of the Services.

 

In the event of any conflict between the Terms and the Agreement, the obligations set out in the Agreement shall prevail over the Terms with regard to the GDPR as a whole.

 

The Agreement shall remain in force for the entire duration of the Terms, i.e. for as long as the User has an account on the Services, and may continue beyond that time as long as all obligations under this Agreement remain applicable.

4. Role of the Parties and scope of application

The User acts, within the framework of the Agreement, as the data controller and The Phantom Company acts as a data processor within the meaning of Article 28 of the GDPR.

 

Under no circumstances may the Parties be considered jointly responsible in connection with the Services. However, the Parties agree that in the event of an error or change in their status formally established by a Supervisory Authority, the Parties shall cooperate to amend the Agreement and take all measures relating to such a situation to comply with the requirements of the applicable regulations on the protection of personal data.

 

The Agreement exclusively governs the processing of the User’s Personal Data carried out in connection with the Services as a Processor within the meaning of Article 28 of the GDPR, excluding processing carried out as a data controller by The Phantom Company, which is governed by the Privacy Policy.

5. Instructions and commitments

The Processor undertakes to use the User’s Personal Data in connection with the use of the Services only in accordance with the instructions documented in the appendix to the Agreement. The Processor shall immediately inform the User if it considers that an instruction given by the User is unlawful under the applicable regulations on the protection of personal data. The Processor shall not be held liable if, despite the Processor’s notification of the illegality of the instruction, the User maintains and applies this instruction through the Services.

 

The Processor undertakes to comply with the provisions of the GDPR and, in particular, to keep a record of processing activities specific to the Services and to develop its Services in accordance with the principles of “data protection by design” and “data protection by default.”

 

The Processor undertakes never to transfer the User’s Personal Data for reasons other than the provision of the Services and undertakes never to use the User’s Personal Data for its own purposes, as data controller. 

 

However, the Processor may use or transfer data that has been irreversibly anonymized in accordance with applicable regulations, to the extent that such data no longer allows for the direct or indirect identification of a natural person (is no longer Personal Data).

 

The Processor declares that the personnel required to process the User’s Personal Data are bound by one or more binding legal acts and regularly undergo training and awareness-raising.

 

The Processor shall implement all technical and organizational measures necessary to ensure the security, confidentiality, and integrity of the User’s Personal Data in its Services, details of which are set out in the appendix to the Agreement.

 

However, the Processor shall never be liable for any breaches by the User of the applicable regulations on the protection of personal data when using the Services as data controller. 

 

As such, the User remains solely responsible, in particular:

 

– the lawfulness of the data processing it carries out via the Services;

– compliance with its obligations to inform the persons concerned;

– exercising the rights of the persons concerned;

– and more generally, any obligation incumbent upon them as data controller within the meaning of the GDPR.

6. Assistance with conducting DPIA

DPIAs must be carried out by the User in accordance with the provisions of the GDPR. However, the Processor undertakes to provide, upon written request from the User, all information necessary and required for the User to carry out a DPIA.

However, the Processor is not required to carry out DPAs on behalf of the User. Any request for additional information may be refused.

7. Assistance with requests for rights

Rights requests sent by Data Subjects shall be transferred to the User as soon as possible, provided that the Data Subject, upon written request from the Processor, has provided the information necessary to identify the User concerned by their request. 

 

The Processor is not required to keep an inventory of Right Requests on behalf of the User and is not responsible for the User’s failure to manage Right Requests.

 

The Processor shall, upon written request from the User, take the technical measures necessary to enable the User to fulfill its obligation to respond to requests from data subjects.

 

The User accepts and understands that the Processor is not required to manage the Rights Requests of individuals made in connection with the Services on behalf of and for the account of the User. Any additional request to ensure such management will be refused.

 

Rights requests sent to The Phantom Company as data controller are processed exclusively by The Phantom Company and are not transferred to the User.

8. Assistance with security measures

The Processor undertakes to communicate all necessary and required information on the technical and organizational security measures to be implemented to ensure the security of the User’s Personal Data in connection with the provision of the Services. The security measures are described in the Appendix to this Agreement.

9. Personal Data Breaches

The Processor undertakes to notify the User, as soon as possible and no later than 48 working hours after becoming aware of it, of any personal data breach in connection with the Services that may concern the User’s Personal Data, as well as all necessary and required information in its possession to mitigate the effects of the personal data breach. The User accepts and acknowledges that the 72-hour period applicable to them shall only commence upon becoming aware of the personal data breach and that, as such, the 48-hour working day period complies with the GDPR.

 

The Processor is not authorized to handle notifications of personal data breaches to the Supervisory Authority or to inform the Data Subjects on behalf of the User. Any request to this effect from the User will be refused.

10. Sub-processors

The User grants the Processor general authorization to recruit subsequent Sub-processors, provided that the User is informed of any changes to these subsequent Sub-processors as soon as possible so that the User can raise any objections. The User accepts and acknowledges that specific authorization for a SaaS tool is not applicable and could lead to the Services being blocked.   

If no objections are raised by the User within thirty (30) days of notification, the new Sub-processor shall be definitively recruited without the User being able to object, claim damages or request the termination of their Subscription and/or a partial or total refund. 

If the objection raised within the time limit is considered admissible by the Processor, the User may terminate their Subscription, delete their account, and obtain a refund under the following conditions: 

  • For annual subscriptions, termination will take effect at the end of the calendar month in which the notice of termination was received. In this case, you may request a refund for the unused portion of your subscription, starting from the month following the effective date of termination.
  • For monthly subscriptions, termination will take effect at the end of the calendar month in which the termination notice was received. No refund will be given for the current month.

To be considered valid by the Processor, objections must be objective and serious and must be duly substantiated. The Parties agree that the following situations shall, by default, be considered admissible: i) the proposed subsequent Sub-processor is a direct competitor of the User, ii) the subsequent Sub-processor is in a dispute with the User, iii) the subsequent Sub-processor has been convicted by a Supervisory Authority within the 12 months prior to its recruitment, and iv) the subsequent Sub-processor does not comply, where applicable, with the applicable rules on transfers outside the European Union.

The Processor undertakes to recruit only Sub-processors who, after verification, provide the necessary and sufficient guarantees to ensure the security and confidentiality of the User’s Personal Data. The relationship between the Processor and the Sub-processor must be governed by an agreement containing obligations similar to those in this Agreement.

The Processor shall remain liable, within the limits of liability provided for in the Terms, for any breaches of the GDPR that may be committed by its Sub-processors in connection with the Services.

 

You can access the list of sub-processors by clicking the link “List of Subprocessors”.

 

11. Hosting and transfers outside the European Union

a) Data hosting

 

The Processor is authorized to freely determine, within the European Economic Area (EEA), the locations for hosting and processing the User’s Personal Data. In the event of transfer of such Data to a country outside the EEA, including through its own Sub-processors, the Sub-processor undertakes to ensure that the conditions of Articles 44 et seq. of the GDPR are complied with, in particular by implementing a recognized transfer mechanism (such as the Standard Contractual Clauses adopted by the European Commission, or any other equivalent mechanism in force).

 

The Processor shall inform the User, upon request, of the safeguards implemented in connection with such transfers. The User acknowledges that the existence of such safeguards is presumed to satisfy its own legal obligations with regard to international data transfers.

b) Data transfers

 

The User grants the Processor general authorization to transfer Personal Data to countries outside the European Union or the European Economic Area in connection with the performance of the Services, including through the use of subsequent Sub-processors. The Processor undertakes to ensure that such transfers are governed, where required, by one of the mechanisms provided for in Articles 45 to 47 of the GDPR, in particular an adequacy decision or, failing that, by appropriate safeguards such as the Standard Contractual Clauses adopted by the European Commission.

 

Subject to the implementation of such a mechanism, no specific prior agreement or information from the User is required. The User acknowledges that the implementation of these safeguards constitutes a sufficient legal basis under applicable regulations. The Processor shall freely assess, depending on the context of the processing in question, the need to implement additional technical or organizational measures in accordance with the recommendations of the competent authorities.

12. Retention periods and fate of the User’s Personal Data

The Subcontractor undertakes to retain the User’s Personal Data only for the duration of the use of the Services, in accordance with the detailed instructions in the appendix, and to delete it upon deletion of the User’s account (subject to section “3.4. Workspace” of the Terms). The Processor shall, upon written request, certify the deletion of Personal Data and all existing copies.

 

The User is informed that they must retrieve their Personal Data before deleting their account. Otherwise, the User will no longer be able to retrieve their Personal Data, as the deletion of personal data is irreversible and final. The Processor shall not be held liable for any loss of Personal Data after its deletion, with the User assuming full responsibility. The User agrees that the total, irreversible, and definitive anonymization of the User’s Personal Data may be used as a means of deletion and that the Processor may retain the anonymized data for the improvement of the Service, as accepted by the Supervisory Authorities.

 

The Processor informs the User that the return of Personal Data provided for in the GDPR does not constitute Data Reversibility to a new processor and that any request to this effect will always be refused by the Processor.

13. Audits

The User has the right to conduct an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire may be communicated in any form to the Processor, who undertakes to respond within a reasonable time of receipt. The Processor undertakes to respond in good faith and in a form and with a level of detail proportionate to the nature of the processing operations concerned and the Services (SaaS). The Processor may object, on reasonable grounds, to any request that it considers manifestly excessive, unjustified or redundant in view of a recent audit. 

 

The User shall therefore have the right to carry out, once a year and at its own expense, an audit in the form of a remote audit, organized through the provision by the Processor of the necessary documents and explanations via written exchanges, videoconference meetings, or any other reasonably appropriate format. 

 

No on-site audit is planned, as the Parties acknowledge that the Processor does not have physical premises dedicated to the processing of User Data.

 

A remote audit may be conducted either by the User or by an independent third party designated by the User and must be notified in writing to the Processor at least thirty (30) days before the audit is carried out. The Processor has the right to refuse the choice of the independent third party if the latter is i) a direct or indirect competitor of the Processor, ii) in a situation of conflict of interest with the Processor (e.g., advisor to a competitor of the Processor), or ii) in pre-litigation or litigation with the Processor. In this case, the User undertakes to choose a new independent third party to carry out the audit. The Processor may refuse access to certain sensitive information for reasons of confidentiality or commercial security. In this case, the Processor shall carry out the audit without this information and communicate the results to the User.

 

In the event of a discrepancy identified during the audit, the Processor undertakes to implement, without delay and at its own expense, within a reasonable time frame and in consultation with the User, the measures necessary to comply with this Agreement. Discrepancies may only relate to the applicable Regulations on the User’s Personal Data and may not relate to procedures, standards, or internal measures implemented by the User on a specific basis. Discrepancies must be duly demonstrated, justified, and documented.

 

In the event of a dispute by the Processor regarding the identified deviations, the Parties undertake to seek an amicable solution as a matter of priority.  The Processor may, at its discretion and with the prior written consent of the User, propose to i) meet by videoconference to find an amicable solution and a compromise, ii) refer the matter to the Supervisory Authority for arbitration, and iii) refer the matter to an independent expert appointed by mutual agreement to arbitrate the dispute. The Processor shall retain the right to defer implementation of the proposed measures as long as a reasoned disagreement remains on the nature or extent of the discrepancy found.

14. Cooperation with authorities

The Processor undertakes to cooperate in good faith with the CNIL or any other competent Supervisory Authority, within the limits of the processing carried out on behalf of the User in connection with the Services, and in compliance with its legal and contractual obligations. The Subprocessor shall, within a reasonable time and to the extent permitted by applicable regulations, inform the User of any formal request from an administrative, judicial, police or supervisory authority specifically relating to Personal Data processed on behalf of the User.

Any notification shall be subject to applicable restrictions on confidentiality, business secrecy or mandatory legal provisions (e.g., prohibition of disclosure).

15. Contact

The User and the Processor shall each designate a contact person responsible for this Agreement who shall be the recipient of the various notifications and communications to be made under the Agreement.

The Processor informs the Customer that it has appointed Dipeeo SAS as its Data Protection Officer, who can be contacted at the following address:

  • Email address: dpo@thephantomcompany.com
  • Postal address: Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France
  • Phone number: 01 59 06 81 85

16. Revisions

The Processor reserves the right to modify this Agreement in the event of changes to the applicable rules on the protection of Personal Data or in the event of changes to the Services that would have the effect of modifying any of its provisions.

Certified compliant by Dipeeo ®

 

DPA Appendices

Appendix 1 – Detailed instructions from the User

1. List of processing operations

1.1. Nature of processing and purposes

The Processor provides a platform that automates certain actions on the Internet and social media. This platform allows the User to collect and enrich data that is freely accessible to them.

As such, the Processor implements these processing operations for the following purposes:

  • To automate the collection of User data and enrich User data;
  • To integrate Services with other independent tools if the User so decides and authorizes;
  • To integrate and offer artificial intelligence features;
  • To host Personal Data, whether in transit or not, and the platform.
  • To navigate our websites, benefit from our services, and enable us to respond to your requests based on our terms and conditions of use and our legitimate interest in providing you with the best service.
  • To use and benefit from our service and all its features based on our terms and conditions of use.
  • To manage user accounts and Workspaces (e.g., account creation, access to the service, and account deletion) based on our terms and conditions of use.
  • To write comments about the management of your files based on our terms and conditions of use.
  • To communicate with our customer support service via our customer service platform and our chat/chatbot based on our terms and conditions of use.
  • To manage subscriptions, online payments, and billing based on our terms and conditions of use.
  • To receive technical emails (e.g., password changes, etc.) that are essential to the proper functioning of our service based on our terms and conditions of use.
  • To be able to download and import documents to our platform based on our terms and conditions of use.
  • To guarantee and enhance the security and quality of our services on a daily basis (e.g., statistics, data security, etc.) based on our legal obligations and our terms and conditions of use.
  • To manage the affiliate program based on the affiliate program’s terms and conditions.

The processing operations carried out are done so exclusively within the framework of the Terms governing the use of the Services.

1.2. Data subjects

The persons concerned in the context of the Services are:

  • Users
  • Natural persons identified in the context of their professional activity (leads), in particular:
    • Commercial prospects
    • Potential candidates
    • Professional contacts whose details are freely accessible to the User (managers, employees, company representatives).

1.3. Processing operations

The processing operations carried out in connection with the Services are detailed below:

Collection, recording, hosting, organization, structuring, storage, adaptation, use, communication by transmission, erasure, or destruction.

1.4. Categories of data processed (User’s Personal Data)

The User’s Personal Data processed within the framework of the Services are as follows:

1.4.1. Personal data of the User 

Standard User data

  • Identification data and professional contact details
  • Connection data (e.g., IP address, log and user ID)
  • Economic and financial data
  • Cookie and tracker data

User session data necessary for the execution of certain automations, such as cookies or session tokens associated with accounts on third-party platforms.

1.4.2. Personal data relating to leads, processed in accordance with the User’s instructions and choices made through the Services

  • Identification data (first and last name)
  • Contact details and professional information (position, company, etc.)
  • Profile data freely accessible to the User on a social network or website
  • Public identifiers or identifiers freely accessible to the User (profile URL, social network username)
  • Any other freely accessible data selected by the User via the platform’s features and automation settings.

1.5. Retention periods

The User’s Personal Data is retained for the duration of the Terms (subject to section 3.4. of the Terms).

Appendix 2 – Security measures

1. Technical security measures

  • Data hosted securely with encryption and network partitioning.
  • Strong isolation of IT resources and no direct operator access.
  • Encryption of internal data flows, isolation and security of data at rest.
  • Access to systems strictly controlled by roles (RBAC).
  • Time-stamped logging of connections and sensitive actions (read-only).
  • Secure storage of secrets, variables, and application configurations.
  • Session expiration and detection of unusual behavior.
  • Regular, encrypted backups, tested and stored in a European Union country.
  • Regular security updates (patching).
  • Security incident management plan in place.
  • Encryption of user passwords and enforcement of complex passwords.
  • Secure HTTPS platform.
  • Strict separation of development, testing, and production environments.
  • Bug bounty program, vulnerability scans, and regular penetration testing.
  • Full access traceability.
  • Anti-spam for employees and secure password management.
  • Hard drive encryption, antivirus, and firewalls for our employees.
  • Mandatory multi-factor authentication (MFA) for our employees.

2. Organizational and contractual security measures

  • Appointment of a Data Protection Officer (DPO).
  • Maintenance of a data processing register.
  • Adoption of an information systems charter.
  • Existence of an internal GDPR squad to manage compliance issues.
  • Inclusion of data protection clauses in employment contracts.
  • Strict procedure for authorizing and revoking internal access.
  • Procedure in place to handle requests from data subjects to exercise their rights.
  • Specific procedure in the event of a personal data breach.
  • Regular awareness-raising and training for employees on data protection and cybersecurity.
  • Phishing tests for all employees under real conditions.
  • Strict application of the principle of least privilege (minimum access required).
  • Confidentiality obligation for all persons with access to data.
  • Continuous monitoring of system security status and automated deployment of updates.

Certified compliant by Dipeeo ®

Login
Get started