DPA

1. Purpose and scope of the agreement

This Data Processing Agreement (hereinafter the "DPA") governs the conditions under which Zylior processes personal data on behalf of its customers, in the context of using the Zylior platform. It is established in compliance with Regulation (EU) 2016/679 (hereinafter the "GDPR"), and in particular its Article 28 relating to the relationship between controller and processor.

This DPA forms an integral part of the Terms of Use and Sale concluded between Zylior and the customer. In the event of a conflict between this DPA and those terms on data protection matters, the provisions of this DPA prevail.

It is deemed accepted as soon as the customer subscribes to a Zylior subscription or uses the platform to process personal data concerning third parties (prospects, leads, contacts, end customers).

2. Definitions

The terms used in this DPA retain the meaning given to them by the GDPR. For reference:

• Personal data: any information relating to an identified or identifiable natural person.
• Processing: any operation applied to personal data (collection, recording, storage, modification, consultation, disclosure, deletion, etc.).
• Controller: the entity that determines the purposes and means of the processing. Under this DPA, this is the customer.
• Processor: the entity that processes the data on behalf of the controller. Under this DPA, this is Zylior.
• Sub-processor: any provider that Zylior engages to carry out specific processing activities on behalf of the customer.
• Data subject: the natural person to whom the personal data relates.
• Data breach: any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data.

3. Roles and allocation of responsibilities

Within the framework of using the platform, the roles are allocated as follows:

• The customer acts as controller for the personal data it imports, collects, or generates via Zylior (in particular the data of prospects, leads, contacts, and end customers in the context of its ads, content, leads, meetings, and automation campaigns).
• Zylior acts as processor: it processes this data solely on the customer's documented instructions, as materialized by the use of the platform's features and by this DPA.

The customer warrants that it has a valid legal basis (consent, legitimate interest, performance of a contract, etc.) for each processing operation it carries out via Zylior, and that it has fulfilled its own obligations to inform the data subjects.

For its own account management, billing, security, and service improvement needs, Zylior acts as a separate controller. These processing operations are described in the Privacy Policy.

4. Nature, purpose, and duration of the processing

Nature and purpose

Zylior processes personal data for the sole purpose of providing the platform's services: centralizing the growth of a portfolio of micro-SaaS, managing advertising campaigns, producing content, generating and qualifying leads, booking meetings, and automating workflows, all powered by AI.

The processing operations include in particular the collection, recording, organization, structuring, storage, consultation, use, disclosure to authorized sub-processors, as well as the erasure of the data.

Duration

The processing is carried out for the entire duration of the contract binding the customer to Zylior. It ends upon termination or expiry of the contract, subject to the provisions relating to the return and deletion of data set out in Article 11.

5. Categories of data and data subjects

Categories of data subjects

• Prospects and leads collected by the customer through its campaigns;
• The customer's professional contacts and end customers;
• Users and members of the customer's team with access to the platform.

Categories of data processed

• Identification data: last name, first name, title;
• Contact details: email address, phone number, postal address;
• Professional data: company, role, industry, company size;
• Business relationship data: exchange history, lead status, meetings, notes, scoring;
• Connection and technical data: IP address, identifiers, activity logs, platform usage data;
• Any content freely entered by the customer in the platform's fields.

Zylior is not intended to process special categories of data (so-called "sensitive" data within the meaning of Article 9 of the GDPR). The customer undertakes not to import such data without having first put in place the appropriate safeguards and informed Zylior.

6. Zylior's obligations as processor

In accordance with Article 28 of the GDPR, Zylior undertakes to:

• process the data only on the customer's documented instructions, including with regard to transfers outside the European Union, unless required to do so by law — in which case Zylior informs the customer before processing, unless legally prohibited;
• ensure that persons authorized to process the data are bound by an appropriate confidentiality obligation;
• implement the appropriate technical and organizational measures described in Article 7;
• comply with the conditions for engaging a sub-processor set out in Article 8;
• assist the customer in responding to requests by data subjects to exercise their rights (Article 9);
• assist the customer in complying with its obligations regarding security, breach notification, impact assessment, and prior consultation of the supervisory authority;
• at the end of the contract, delete or return the data in accordance with Article 11;
• make available to the customer all information necessary to demonstrate compliance with its obligations and allow the audits provided for in Article 10;
• immediately inform the customer if, in its view, an instruction constitutes an infringement of the GDPR or another applicable data protection provision.

7. Security measures

Zylior implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include in particular encryption of data in transit and at rest, strict access control, logging of operations, regular backups, separation of environments, and incident management procedures.

The details of the measures implemented, as well as the organization of security at Zylior, are described on the Security page, which forms an integral part of this DPA and is regularly updated.

Data breach notification

In the event of a personal data breach, Zylior notifies the customer as soon as possible after becoming aware of it, and at the latest within 48 hours. The notification specifies, as far as possible, the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address it. Zylior provides the customer with reasonable assistance to enable it to comply with its own notification obligations to the supervisory authority and, where applicable, to the data subjects.

8. Sub-processors

The customer generally authorizes Zylior to engage sub-processors to carry out certain processing activities (infrastructure hosting, email services, AI vendors, analytics tools, etc.).

Zylior undertakes to:

• engage only sub-processors providing sufficient guarantees regarding the implementation of appropriate technical and organizational measures;
• impose on each sub-processor, by contract, data protection obligations equivalent to those of this DPA;
• remain fully liable to the customer for the performance by the sub-processor of its obligations;
• keep the list of its sub-processors up to date and inform the customer of any planned addition or replacement, so as to allow it to raise legitimate objections within a reasonable time.

The up-to-date list of sub-processors is available on request at hello@zylior.com.

Transfers outside the European Union

Where processing involves a transfer of data to a country located outside the European Economic Area, Zylior ensures that this transfer is governed by a mechanism recognized by the GDPR: an adequacy decision by the European Commission or, failing that, standard contractual clauses supplemented by the necessary additional measures.

9. Assistance and data subjects' rights

Zylior makes available to the customer the features and tools necessary to enable it to respond to requests by data subjects to exercise their rights: right of access, rectification, erasure, restriction, objection, and portability.

If a request to exercise rights is sent directly to Zylior, Zylior forwards it to the customer as soon as possible and does not respond directly to the data subject, unless instructed by the customer or required by law.

Taking into account the nature of the processing, Zylior also assists the customer, as far as possible and through appropriate technical and organizational measures, in fulfilling its obligations relating to the security of processing, breach notification, data protection impact assessments, and prior consultation of the supervisory authority.

10. Audit and demonstration of compliance

Zylior makes available to the customer all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and this DPA.

To this end, the customer may, at most once a year and subject to reasonable notice of at least thirty days, request that an audit be carried out. This audit may take the form of:

• the provision of relevant documentation (security policies, audit reports, certifications where applicable);
• a compliance questionnaire;
• an on-site audit conducted by the customer or an independent third party mandated by it, subject to a confidentiality undertaking.

Audits are carried out during business hours, so as not to disrupt Zylior's operations, and with respect for the confidentiality of other customers' data. The direct costs of an on-site audit are borne by the customer, unless the audit reveals a substantial breach by Zylior of its obligations.

11. Return and deletion of data at the end of the contract

Upon expiry or termination of the contract, and according to the choice expressed by the customer, Zylior proceeds to:

• either the return of all the personal data processed on behalf of the customer, in a structured and commonly used format;
• or the definitive deletion of this data.

Failing instruction from the customer within thirty days of the end of the contract, Zylior proceeds to delete the data. This deletion also takes place definitively on the backups, within the limits of the technical backup rotation cycles.

Zylior nevertheless retains the data whose retention is required by a legal or regulatory obligation, for the sole duration and the sole purposes provided for by that obligation. On request, Zylior provides the customer with a certificate of data deletion.

12. Duration, modification, and contact

This DPA takes effect for the entire duration of the processing of personal data by Zylior on behalf of the customer. It may be updated to take account of changes in regulations, security practices, or the platform's features; the applicable version is the one published on the site at the time of the processing concerned.

For any question regarding this DPA or the exercise of rights, the customer may write to hello@zylior.com.