DATA PROCESSING AGREEMENT (DPA)
Version: 1.1
Effective Date: March 28, 2026
Last Updated: March 28, 2026
1. OBJECTIVE — PARTIES CAPACITY
This Data Processing Agreement (“DPA”) frames standard personal data processes executing within Convertr properties, notably where:
- Customer directs setups strictly as a Data Controller; and
- Convertr operates technically merely as a Data Processor,
pursuant to EU GDPR requirements facilitating Service operations.
2. PROCESSING OUTLINE
2.1 Goals (directed by Customer)
Convertr hosts interactions enabling Platforms and configurations such as:
- lead, prospect, and opportunity center administration;
- workflow and trigger routing;
- SMS and call transmissions, subject to authorization;
- transcription and automated qualification guides;
- integrations and synced resources;
- security, tracking limitations, and operational maintenance.
2.2 Longevity
Information stays active concurrently corresponding to duration requirements linked inherently to terms execution along applicable post-contract handover windows. Disposals stand conditioned to:
- extended operational law safeguards;
- backend retention snapshots adhering safely to temporary bounds.
2.3 Dataset Branches
Relevant Customer inputs comprise likely items spanning:
- outreach handles and corresponding markers;
- contact entries logged into dynamic segments;
- outbound telephony parameters and timestamps;
- SMS history mapping;
- parsed insights or transcripts matching campaigns;
- cross-platform attribution traces.
Deliberate gathering of specialized sensitive categories breaks fundamental standards without explicit self-directed compliance buffers strictly borne by Customers.
2.4 Focused Audience Pool
Targeted cohorts consistently wrap the core prospects, potential clientele, or leads targeted independently via Customer operations.
3. CUSTOMER INSTRUCTIONS
Convertr processes personal data only based on documented Customer operations. Such actions correlate closely with:
- dashboard environment adjustments;
- switching modules live;
- formal support interactions;
- signed and authorized commercial setups.
3.1 Invalid Request
Whenever Convertr suspects explicit processing commands contravening regulations, prompt clarification requests suspend controversial actions pending clear justification or rectification.
4. CONFIDENTIALITY
Authorized personnel accessing required systems remain explicitly restricted beneath secure protocols enforcing confidentiality laws continuously minimizing exposure solely around technical dependencies.
5. SAFEGUARDS
Consistent protections reflecting modernized feasibility bounds map defensive layers proportionately countering vulnerabilities targeting data handling environments.
Typical alignments comprise notably:
- permissions gating alongside rigid verifications;
- threat logging enabling investigative lookbacks;
- infrastructure backups scaling dynamically;
- malicious interference shields.
Real-world strength strictly correlates around engaged modules alongside integrations linked remotely.
6. CUSTOMER RECOURSE SUPPORT
Convertr supplies proportionate tooling empowering organizational obligations addressing standard regulatory checks, featuring prominently:
6.1 User Data Privileges
- alerting Customers of stray public queries linked internally;
- enabling system access for execution modifications when logically feasible.
6.2 Secure Context
- open layout detailing systemic fortifications;
- optimization instructions matching safe operational boundaries.
6.3 Intrusions
- timely escalations outlining scope per guidelines;
- remedial transparency aiding subsequent external transparency.
6.4 DPIA Checks
- documentation sourcing to inform independent compliance testing.
7. SUBPROCESSORS
7.1 Valid Consent
Customers agree explicitly towards listed external service branches featured in Annex 2 governing the backend mechanics.
7.2 Legally Enforced Commitments
Operational reliance ties downstream partnerships firmly around synchronized data protection criteria mirroring main expectations where applicable.
7.3 Responsibility Scope
Convertr assumes proportionate accountability regarding subprocessor interactions mirroring contractual guardrails limiting unexpected liabilities.
7.4 Structural Edits
Convertr communicates substantive ecosystem evolutions impacting engaged subprocessors within a fair margin beforehand.
Valid disputes trigger dialogue assessing substitute workflows minimizing reliance vulnerabilities or enabling seamless compartmentalized exits.
7.5 International Transport
Deployments crossing EEA lines maintain approved safety assurances leveraging applicable decisions alongside supplemental contracts enforcing local integrities rigorously.
8. DATA VIOLATIONS
Convertr commits swift notification dispatching upon discovering data integrity faults outlining accessible intelligence maximizing responsive mitigation alongside regulatory compliance routines led effectively by the Customer.
9. EXPIRATION PROCEDURES
Termination sequences naturally launch processes addressing Customer files utilizing feasible export utilities throughout reversible stages followed shortly by:
- erasure scripts securing complete systemic destruction minus specific legally mandated archive remnants or backup caches timed rigidly.
10. AUDIT PROVISIONS
Convertr assists structural inquiries documenting foundational conformances facilitating reasonable audits constrained yearly limiting operational hindrances extensively preferring documented oversight primarily unless circumstances mandate critical procedural testing.
ANNEX 2 — CONVERTR
AUTHORIZED SUBPROCESSOR LIST
Version: 1.1
Effective Date: March 28, 2026
4.1 Convertr Subprocessors
a) Hosting and Infrastructure
| Provider | Location | Role |
|---|---|---|
| Vercel | EU / US | Hosting convertr.fr landing page and app.convertr.fr dashboard |
| Railway | US | API backend hosting, PostgreSQL database, and Redis caching |
b) File Storage
| Provider | Location | Role |
|---|---|---|
| Cloudflare R2 | Depending on region | Files, documents, and creative advertising media storage |
c) Telephony, SMS, and Voice Agent
| Provider | Location | Role |
|---|---|---|
| Twilio | US | Sending SMS and providing connected communication services, upon activation |
| Retell AI | US | Voice AI, call handling and transcription, upon activation |
d) Transactional Email
| Provider | Location | Role |
|---|---|---|
| Resend | US | Dispatching automated transactional emails (password reset, reports, confirmations) |
e) AI Models via APIs (based on workflows)
| Provider | Location | Role |
|---|---|---|
| OpenAI | Provider's infrastructure | Generation and logic routing operations dynamically applied based on automated n8n workflows |
| Anthropic | Provider's infrastructure | |
| Mistral | Provider's infrastructure | |
| Google Gemini | Provider's infrastructure |
f) Convertr Professional Services
| Provider | Location | Role |
|---|---|---|
| Mr. Adel BELGROUN (EI) SIREN : 999 268 105 | France / EU | Initial setup, onboarding, integration assistance, guided oversight, troubleshooting maintenance, and potential ad performance tracking if scoped |
4.2 Customer's External Services — Independent Controllers
a) Ad Integrations
| Provider | Role |
|---|---|
| Meta (Facebook / Instagram Ads) | Syncing campaigns and ingesting leads if activated by Customer |
| Google Ads | Syncing campaigns, metrics, and mapped inputs if activated by Customer |
b) Calendar Integrations
| Provider | Role |
|---|---|
| Google Calendar | Synchronizing meetings via OAuth, directly upon authorization |
| Microsoft Outlook Calendar / Microsoft Graph | Synchronizing meetings via OAuth, directly upon authorization |
4.3 Internal Technical Tool
The n8n framework runs fundamentally to power localized routing automation.
Maintained directly and operated entirely privately, n8n functions solely as systemic infrastructure, lacking independent vendor classification.