Data Processing Agreement (DPA)

1. Subject and Duration of Processing

This DPA defines the conditions under which Sens-AI processes personal data on behalf of the customer, in the context of providing the AI chatbot SaaS service.

The DPA takes effect on the date of service subscription and remains applicable throughout the contract duration, as well as during the period in which Sens-AI retains personal data on behalf of the customer.

Upon expiration or termination of the contract, the obligations regarding the deletion or return of personal data apply in accordance with Section 12 below.

2. Nature and Purpose of Processing

Sens-AI provides an AI chatbot SaaS service enabling, among other things:

• Management of conversations between end users and the chatbot
• Hosting, storage, search, and analysis of conversation content
• Indexing and semantic search in the customer's knowledge base
• Administration of user accounts and access rights
• Support, improvement, and monitoring features

Operations performed may include: collection, recording, organization, structuring, storage, consultation, use, transmission, erasure, and destruction of personal data.

3. Types of Personal Data Processed

Depending on the customer's configuration, the processed data may include:

• Identification data: name, professional email address, user ID
• Connection data: logs, IP address, session identifiers, timestamps
• Conversation content: text messages entered in the chatbot
• Knowledge base data: content of uploaded files (PDF, DOCX, CSV) and scraped web pages
• Usage data: usage statistics, settings, preferences
• Billing data: customer ID, subscription plan, payment history

Retention periods:

4. Categories of Data Subjects

Persons whose data is processed may include:

• End users of the chatbot: customers, prospects, and internal users of the data controller
• Customer team members: administrators and operators using the dashboard
• Billing contacts: persons responsible for payment and subscription management
• Any other category defined by the customer in their documentation of instructions

5. Obligations of the Processor (Sens-AI)

Sens-AI undertakes to:

• Documented instructions: process personal data only on documented instructions from the customer, unless required by law
• Confidentiality: ensure that authorized persons processing data are bound by a confidentiality obligation
• Security: implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR)
• Processing records: maintain a record of processing activities carried out on behalf of the customer
• Breach notification: notify the customer without undue delay of any personal data breach
• Rights assistance: assist the customer in enabling the exercise of data subject rights (access, rectification, erasure, objection, restriction, portability)
• Use limitation: not use personal data for purposes other than providing the service, nor sell, rent, or exploit them for its own benefit

6. Obligations of the Data Controller (Customer)

The customer undertakes to:

• Ensure that processing entrusted to Sens-AI complies with applicable data protection laws, including obtaining legal bases and informing data subjects
• Provide Sens-AI with documented, lawful, and proportionate instructions
• Promptly inform Sens-AI of any changes affecting these instructions
• Take into account the documentation and information provided by Sens-AI, particularly regarding security measures

7. Sub-processors

The customer authorizes Sens-AI to engage the following sub-processors to provide the service. Sens-AI contractually imposes data protection obligations on these sub-processors at least equivalent to those of this DPA.

Sens-AI will notify the customer of any significant addition or replacement of a sub-processor, within a reasonable period before implementation, to allow the customer to raise any reasoned objections.

Sens-AI remains fully liable to the customer for the performance of sub-processor obligations (Article 28(4) GDPR).

8. Security Measures

In accordance with Article 32 of the GDPR, Sens-AI implements the following technical and organizational measures:

• Encryption in transit: all communications are encrypted via TLS/HTTPS
• Encryption at rest: data stored in databases and object storage is encrypted at rest
• Access control: authentication with hashed passwords (bcrypt), tenant-based access management
• Data isolation: logical separation per tenant (database, vector namespaces, file buckets)
• Rate limiting: protection against abuse and denial-of-service attacks
• Logging: access and operation logs for traceability and incident detection
• Backups: regular backups of relational data
• Webhook verification: HMAC-SHA256 signature for callback authentication

9. Transfers Outside the EEA

Sens-AI's core infrastructure is hosted in the European Union. However, certain sub-processors may involve data transfers outside the European Economic Area (EEA).

Where transfers outside the EEA are necessary, they are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with Article 46 of the GDPR.

Please refer to Section 7 above for the detailed transfer table per sub-processor.

10. Breach Notification

In the event of a personal data breach, Sens-AI undertakes to:

• Notify the customer without undue delay after becoming aware of the breach
• Provide available information useful for assessing the breach, including:
  • The nature of the breach
  • The categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address it
• Assist the customer in notifying the supervisory authority (CNIL) and, where applicable, the data subjects concerned

11. Audit and Review

The customer has the right to verify Sens-AI's compliance with this DPA and the GDPR:

• Through requests for information and security documentation
• Through on-site or remote audits, subject to reasonable prior notice
• Through an independent auditor appointed by the customer

The parties agree to limit the frequency and scope of audits to what is strictly necessary for compliance verification, without excessively disrupting Sens-AI's operations.

Sens-AI also assists the customer, where possible, in carrying out Data Protection Impact Assessments (DPIAs) when required.

12. Data Handling on Contract Termination

Upon termination of the contract, the customer chooses between:

• Return: export of personal data (via API or dashboard) followed by deletion by Sens-AI
• Deletion: permanent deletion of personal data, subject to data that Sens-AI must retain to comply with legal obligations

The customer has 30 days following contract termination to request data export. After this period, Sens-AI will proceed with permanent data deletion.

Sens-AI certifies, upon request from the customer, the proper execution of deletion or anonymization operations.

13. DPO Contact

For any questions regarding this DPA or the processing of your personal data, you can contact our Data Protection Officer:

This DPA is governed by French law. Any dispute relating to its interpretation or execution shall be subject to the exclusive jurisdiction of the courts of Paris, unless otherwise required by mandatory provisions.