Skip to main content
jarviz
Back to home
Legal

Data Processing Agreement

Last updated · April 2026

This Data Processing Agreement ("DPA") forms part of the Jarviz Terms of Service between Groupe Verlaine SAS ("Processor") and the Customer ("Controller"). It applies whenever Jarviz processes personal data on behalf of the Customer in the course of providing the Service.

1. Subject matter & duration

The Processor will process personal data on behalf of the Controller for the duration of the Service subscription, in order to provide the unified revenue decision system described in the order form.

2. Nature of processing

Categories of data: identifiers (email, name, hashed identifiers), professional contact details, advertising data, CRM data, transactional data.

Data subjects: end users of the Controller, leads, prospects and customers of the Controller.

Operations: collection, storage, structuring, matching, transfer to advertising APIs, analytics.

3. Processor obligations

Process personal data only on documented instructions from the Controller.

Ensure that personnel are bound by confidentiality.

Implement appropriate technical and organizational measures (Article 32 GDPR), described in Annex II.

Assist the Controller with data subject requests, security incidents and DPIAs.

Notify the Controller of any personal data breach without undue delay (and within 72 hours wherever possible).

4. Subprocessors

The Controller authorizes the Processor to engage subprocessors listed in Annex III. The Processor will give prior notice of any addition or replacement, and the Controller may object on reasonable data-protection grounds within 14 days.

The Processor remains liable for the acts and omissions of its subprocessors.

5. International transfers

Where transfers to a country outside the European Economic Area are necessary, they are governed by the European Commission's Standard Contractual Clauses (Decision 2021/914), which are incorporated into this DPA by reference.

6. Audit

Once per year, the Controller may request an audit by an independent third party, at its own expense, after thirty (30) days' notice and subject to confidentiality. SOC 2 Type 2 reports satisfy this obligation when available.

7. Termination

Upon termination of the Service, the Processor will delete or return all personal data within sixty (60) days, unless retention is required by law.