1. Purpose & Scope

This Data Processing Agreement (“DPA”) forms part of the service contract (the “Agreement”) between Fox-Plan SAS (“Fox-Plan”) and the client entity (the “Client”).

The DPA sets the terms under which Fox-Plan processes Personal Data strictly for the performance of the Agreement, on behalf of the Client, in accordance with the GDPR (EU 2016/679) and applicable data protection laws.

This DPA applies where the Client acts as Controller (or Processor) and Fox-Plan acts as Processor (or Sub-processor). Processing activities for which Fox-Plan acts as Controller are governed by Fox-Plan’s Privacy Policy.

2. Definitions

Terms have the meanings set forth in Article 4 GDPR, including: “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, and “Personal Data Breach”.

3. Roles & Responsibilities

Fox-Plan as Processor

Fox-Plan shall process Personal Data only on the documented instructions of the Client and strictly for the Agreement’s purposes. No use for marketing, profiling, or resale.

Client as Controller (or Processor)

The Client determines purposes and means of Processing, ensures lawfulness and notices to Data Subjects, and provides instructions to Fox-Plan in compliance with GDPR.

4. Nature, Purpose & Categories of Data

Purpose: provision and operation of the Fox-Plan service; hosting, backup, administration; account and access management; support & maintenance; anonymized analytics to improve service quality.

Categories of Data: identification (name, email), credentials, usage logs, technical metadata, and content stored by users within the service.

Data Subjects: Client’s end-users, employees, contractors, and authorized partners.

Duration: for the term of the Agreement and as otherwise required for reversibility or legal retention.

5. Location & Hosting (Scaleway DPA)

Data is hosted in France within data centers operated by Scaleway SAS. No data transfers outside the European Union are performed without adequate safeguards (e.g., EU Standard Contractual Clauses or adequacy decision).

Processing by Scaleway is governed by the Scaleway Data Processing Agreement: official PDF.

6. Security Measures

Fox-Plan implements appropriate technical and organizational measures to ensure confidentiality, integrity, and availability, including:

• Encryption in transit and at rest (TLS 1.2+ / TLS 1.3; AES-256 or equivalent).
• Strict access control (least privilege), secure authentication, and access logging.
• Environment isolation and network segmentation; WAF and intrusion monitoring.
• Secure software lifecycle, patching, and vulnerability management.
• Regular backups and tested restores; BCP/DR procedures.

Encrypted Data Storage

All customer data stored in our databases is encrypted at rest. Production database access is limited to authorized personnel under strong authentication and logging. Backups are encrypted and stored in secure Scaleway facilities in France.

7. Backups & High Availability

• Full daily backups of Client data; retention per internal policy and legal needs.
• Replication and high-availability architecture to minimize data loss risk.
• Documented restore procedures with periodic testing.

8. Sub-processors

Fox-Plan may engage Sub-processors (e.g., hosting, backup, support, messaging). Fox-Plan imposes data protection obligations equivalent to this DPA and remains fully responsible for Sub-processors’ performance.

An up-to-date list of Sub-processors is available upon request: dpo@fox-plan.com.

9. Assistance with Data Subject Rights

Taking into account the nature of Processing, Fox-Plan assists the Client, insofar as possible, in fulfilling requests from Data Subjects (access, rectification, erasure, restriction, portability, objection) and in meeting GDPR obligations (e.g., DPIA support where applicable).

10. Incident & Breach Notification

In the event of a Personal Data Breach, Fox-Plan will notify the Client without undue delay and within 24 hours of becoming aware, providing known details (nature, categories, volume, likely consequences, measures taken).

Fox-Plan will cooperate with the Client for any required regulatory notification, including to the French CNIL within 72 hours where applicable, and communications to Data Subjects if necessary.

11. Audits

The Client may conduct (or mandate) one security audit per year on one-month prior written notice, via an independent, non-competitor auditor, during normal business hours, without disrupting operations, and subject to Fox-Plan’s security and confidentiality policies. Critical vulnerabilities will be remediated without undue delay.

12. Reversibility: Return & Deletion

Upon termination of the Agreement, and at the Client’s option, Fox-Plan will return or delete all Client Personal Data within 30 days, except where legal retention applies.

• Standard export format: JSON (at no additional cost).
• Additional extraction/assistance services available on request (separately quoted).
• Deletion will be confirmed by a written deletion certificate on request.

13. Data Ownership

The Client remains the sole owner of the Personal Data processed via the Fox-Plan service. Fox-Plan acquires no rights over such data and shall not use it for purposes other than performing the Agreement.

14. Liability

Each Party is liable for its own breaches of this DPA and applicable data protection law. Fox-Plan’s liability is limited to direct damages proven to result from its breach of this DPA or GDPR obligations; Fox-Plan shall not be liable for indirect or consequential damages, nor for damages arising from the Client’s unlawful instructions or misuse of the services.

15. Governing Law & Jurisdiction

This DPA is governed by French law. Any dispute shall be subject to the exclusive jurisdiction of the courts of Versailles (France), without prejudice to mandatory consumer or data protection forum rules where applicable.

16. Contact & Data Protection Officer (DPO)

Fox-Plan SAS
4 Place Maurice Berteaux, 78400 Chatou, France

DPO / Privacy contact: dpo@fox-plan.com