Retyc logo blue

Data processing agreement (DPA)

Retyc - a service by TripleStack SAS

Version 1.0 - Effective as of: 24 May 2026

BETWEEN:

TripleStack SAS, a simplified joint-stock company (société par actions simplifiée unipersonnelle) with a share capital of €1,000, registered with the Lyon Trade and Companies Register (RCS) under number 853 010 064, with its registered office at 12 B rue du Stade - 69290 Grézieu-la-Varenne (hereinafter "TripleStack" or the "Processor"),

AND:

The B2B Customer who has accepted the Terms to which this DPA is annexed (hereinafter the "Controller" or the "Customer"),

Hereinafter collectively referred to as the "Parties".

Preamble

In the context of providing the Services defined in the Terms, TripleStack processes Personal Data on behalf of the B2B Customer, acting as a processor within the meaning of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "GDPR").

This DPA is intended to define the conditions under which TripleStack processes such data on behalf of the Customer, in accordance with the requirements of Article 28 of the GDPR.

This DPA forms an integral part of the Terms. In the event of any conflict between the provisions of this DPA and those of the Terms, the provisions of this DPA shall prevail with regard to the processing of Personal Data.

Terms defined in the Terms retain their meaning in this DPA. The terms defined below supplement those definitions.

Article 1 - Definitions

"Personal Data": any information relating to an identified or identifiable natural person, within the meaning of Article 4 of the GDPR.

"Processing": any operation or set of operations performed on Personal Data, within the meaning of Article 4 of the GDPR.

"Data Breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

"Sub-processor": any third party engaged by TripleStack to carry out processing activities on behalf of the Customer, in the context of providing the Services.

"Supervisory Authority": the Commission nationale de l'informatique et des libertés (CNIL) or any other competent supervisory authority within the meaning of Article 4(21) of the GDPR.

Article 2 - Subject matter, nature and purpose of processing

TripleStack processes Personal Data on behalf of the Customer solely for the purpose of performing the Services defined in the Terms, and in particular:

  • encrypted storage of files and documents uploaded by the Customer and its Registered Users on the Platform;
  • management of user accounts and permissions within the Customer's Organisation;
  • management of file sharing between Registered Users and, where applicable, with Anonymous Users;
  • provision of Platform features as defined on the Retyc website;
  • management of technical operations necessary for the continuity and security of the Services (backups, logging, maintenance).

TripleStack processes Personal Data only on documented instructions from the Customer, including with regard to transfers, unless required to do so by applicable law. In the latter case, TripleStack will inform the Customer before processing, unless the applicable law prohibits such notification.

Article 3 - Nature of data processed and categories of data subjects

3.1 Categories of data subjects

Personal Data processed by TripleStack on behalf of the Customer may relate to the following categories of persons:

  • the Customer's Registered Users (employees, collaborators, contractors or any other user authorised by the Customer);
  • Anonymous Users accessing files shared by the Customer or its Registered Users;
  • any natural person whose data may appear in files and documents uploaded by the Customer to the Platform.

3.2 Categories of data processed

The categories of data processed by TripleStack on behalf of the Customer include:

  • Identification and account data: name, first name, email address, login credentials of Registered Users;
  • Connection and browsing data: IP addresses, connection logs, Platform usage data, timestamps;
  • File metadata: size, creation and modification date, Organisation directory structure (file names and types are encrypted client-side and inaccessible to TripleStack);
  • File content: data contained in files uploaded by the Customer and its Registered Users to the Platform.

The data processed does not, in principle, include special categories of data within the meaning of Article 9 of the GDPR (health data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, etc.), unless the Customer voluntarily uploads such data to the Platform, in which case the Customer remains solely responsible.

Article 4 - Duration of processing

TripleStack processes Personal Data on behalf of the Customer for the duration of the Terms.

Upon expiry or termination of the Terms, TripleStack undertakes to return all Personal Data to the Customer, under the conditions defined in Article 21 of the Terms relating to data portability, within thirty (30) days of the end of the contractual relationship.

The technical deletion of data from the Platform takes place immediately after return to the Customer, or upon expiry of the thirty (30) day period if no export request has been made. Upon completion of such deletion, TripleStack will provide the Customer, upon request, with a certificate of deletion. Unless a legal retention obligation applies, no personal data processed on behalf of the Customer shall remain on TripleStack's systems beyond this period.

Article 5 - Obligations of TripleStack

5.1 Processing on instruction

TripleStack undertakes to process Personal Data only on documented instructions from the Customer, as set out in the Terms and this DPA, or any subsequent written instruction from the Customer.

If TripleStack considers that an instruction from the Customer constitutes a violation of the GDPR or any other applicable data protection legislation of the Union or a Member State, it will immediately inform the Customer.

5.2 Confidentiality

TripleStack undertakes to ensure that persons authorised to process Personal Data in connection with the Services are subject to an appropriate obligation of confidentiality, whether contractual or statutory, and have received adequate training in data protection.

5.3 Security

TripleStack undertakes to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, including:

  • end-to-end encryption of Customer Data using a zero-knowledge architecture, ensuring that TripleStack has no access to the content of stored files;
  • encryption of data in transit and at rest;
  • exclusive hosting of data on infrastructure located within the European Union;
  • regular and secure backup procedures;
  • strict access controls to systems processing Personal Data;
  • access logging and monitoring procedures;
  • regular testing, assessment and evaluation of the effectiveness of security measures.

5.4 Notification of data breaches

In the event of a Data Breach affecting Personal Data processed on behalf of the Customer, TripleStack will notify the Customer without undue delay and, where possible, within seventy-two (72) hours of becoming aware of the breach.

This notification will include, to the extent that the information is available at that stage:

  • a description of the nature of the Data Breach, including the categories and approximate number of data subjects and personal data records affected;
  • the name and contact details of the data protection officer or other contact point from whom further information can be obtained;
  • a description of the likely consequences of the Data Breach;
  • a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

If all information is not available simultaneously, TripleStack will provide it to the Customer in a phased manner, without undue delay.

5.5 Assistance to the Customer

TripleStack undertakes to assist the Customer, insofar as possible and taking into account the nature of the processing and the information available to it, in:

  • responding to requests by data subjects to exercise their rights (right of access, rectification, erasure, objection, portability, restriction);
  • complying with obligations under Articles 32 to 36 of the GDPR, in particular with regard to security, breach notification, impact assessments and prior consultation with the Supervisory Authority.

Any assistance request beyond the scope of the Services defined in the Terms may be subject to additional charges, subject to prior agreement from the Customer.

5.6 Fate of data at the end of the contract

At the end of the contract, TripleStack undertakes to return Personal Data to the Customer and to proceed with its permanent and secure deletion under the conditions defined in Article 4 of this DPA.

Article 6 - Obligations of the Customer

The Customer acknowledges and warrants that it:

  • acts as data controller for the Personal Data processed by TripleStack in connection with the Services;
  • has a valid legal basis for each of the processing activities entrusted to TripleStack;
  • has informed data subjects of the processing carried out on its behalf by TripleStack, in accordance with Articles 13 and 14 of the GDPR;
  • will only communicate to TripleStack data that is strictly necessary for the performance of the Services;
  • will ensure that special categories of data within the meaning of Article 9 of the GDPR are not uploaded to the Platform, unless the Customer assumes full responsibility for doing so.

Article 7 - Sub-processors

7.1 General authorisation

The Customer authorises TripleStack to engage the Sub-processors listed in Article 7.2 of this DPA for the performance of the Services.

7.2 List of Sub-processors

The current list of Sub-processors is available and kept up to date at https://retyc.com/legal/subprocessors. This list forms an integral part of this DPA. TripleStack undertakes to notify the Customer of any addition or change under the conditions set out in Article 7.3.

7.3 Changes to the list of Sub-processors

TripleStack will notify the Customer of any planned addition or replacement of a Sub-processor, with reasonable prior notice of at least thirty (30) days before the change takes effect, by any means capable of providing written evidence.

The Customer has fifteen (15) days from such notification to object to the change of Sub-processor on legitimate grounds relating to data protection. In the event of an unresolved objection, the Customer may terminate the Terms without penalty.

7.4 Obligations imposed on Sub-processors

TripleStack undertakes to impose on its Sub-processors obligations equivalent to those imposed on it under this DPA, in particular with regard to security, confidentiality and data protection. TripleStack remains liable to the Customer for the acts and omissions of its Sub-processors.

Article 8 - Transfers of data outside the European Union

All Personal Data processed by TripleStack on behalf of the Customer is hosted and processed exclusively on infrastructure located within the European Union.

TripleStack undertakes not to transfer the Customer's Personal Data to a third country outside the European Union without the Customer's prior written consent, and without appropriate safeguards within the meaning of Chapter V of the GDPR being in place.

Article 9 - Right to information

9.1 Documentation

TripleStack makes available to the Customer all documentation necessary to demonstrate compliance with the obligations imposed on the Processor by Article 28 of the GDPR, including:

  • this DPA;
  • any certification, security audit report or compliance attestation available to TripleStack;
  • responses to reasonable security and compliance questionnaires submitted by the Customer.

9.2 Right to information

The Customer may, once a year, send TripleStack a written questionnaire regarding the security measures and processing conditions implemented in connection with the Services. TripleStack undertakes to respond within a reasonable period not exceeding thirty (30) days.

Article 10 - Data protection contact

For any questions relating to data protection under this DPA, the Customer may contact TripleStack at: legal@retyc.net.

Article 11 - Liability

Each Party is responsible for compliance with its own obligations under this DPA and the GDPR.

In its relations with the Customer, TripleStack is liable for damages caused by processing that does not comply with this DPA or the GDPR and is attributable to it. TripleStack's liability under this DPA is subject to the limitations of liability defined in the Terms.

The Customer is responsible for the lawfulness of the processing it entrusts to TripleStack, the quality of the data transmitted and compliance with its own obligations as data controller.

Article 12 - Governing law and jurisdiction

This DPA is governed by French law and the GDPR.

Any dispute relating to the interpretation or performance of this DPA shall be subject to the jurisdiction of the competent courts of Lyon, in accordance with the provisions of the Terms applicable to B2B Customers.