Last updated: July 3, 2026
Data Processing Agreement (DPA)
This Data Processing Agreement (the "DPA") governs the processing of personal data carried out by SymbiozAI SASU (SIREN 103 609 244, registered office in Lyon 69003, France), as a data processor, on behalf of its customers, as data controllers. It forms an integral part of the Terms of Service and applies as from subscription to the Service.
1. Definitions
The terms Data controller, Data processor, Subprocessor, Data subject, Personal data, and Personal data breach have the meaning given to them by the GDPR (EU Regulation 2016/679). "Customer Data" means the personal data processed by SymbiozAI on behalf of the Customer through the Service.
2. Subject matter, duration, nature, and purpose of the processing
- Subject matter: the provision of the Service (AI-native CRM) involving the processing of Customer Data.
- Duration: the duration of the subscription, plus the reversibility and deletion period (§9).
- Nature of the operations: collection (ingestion of exchanges), recording, structuring, analysis (including analysis by artificial intelligence), consultation, making available, deletion.
- Purposes: monitoring and advancement of the Customer's commercial opportunities, qualification, follow-up assistance, data hygiene.
- Categories of persons: the Customer's professional contacts (prospects, customers, counterparties), including third parties in copy of emails.
- Categories of data: professional identity, contact details (email, number, LinkedIn profile), content of exchanges (see differentiated scopes in Annex A), message metadata, B2B enrichment data.
3. Instructions of the data controller
SymbiozAI processes Customer Data only on the documented instructions of the Customer (this DPA and the use of the Service constitute instructions). SymbiozAI informs the Customer if an instruction appears to it to be contrary to the GDPR.
4. SymbiozAI's obligations as a data processor
SymbiozAI: (a) guarantees confidentiality (authorized personnel, confidentiality undertaking); (b) implements appropriate security measures (Art. 32, see §7); (c) complies with the conditions for engaging subprocessors (§5); (d) assists the Customer with data subjects' requests (§6) and with its obligations (Arts. 32 to 36); (e) notifies any personal data breach (§8); (f) at the Customer's choice, deletes or returns the data at the end of the contract (§9); (g) makes available the information necessary to demonstrate its compliance and submits to audits (§10).
5. Subprocessors
The Customer authorizes the engagement of the subprocessors listed on our dedicated public page. SymbiozAI imposes on each of them a written contract containing obligations that are substantially equivalent to and no less protective than those set out herein, and remains liable for their performance.
Transparency arrangements: (a) a public list of subprocessors kept up to date; (b) prior notice of at least 30 days before the addition or replacement of a subprocessor; (c) a right of objection for the Customer within 30 days on legitimate grounds relating to data protection.
An overview of the subprocessors is set out in Annex B; the reference list, kept up to date, is published on the "List of subprocessors" page.
6. Assistance with data subjects' requests
SymbiozAI assists the Customer in responding to requests to exercise rights (access, rectification, erasure, objection, restriction). Data subjects exercise their rights with the Customer (the data controller); if they address SymbiozAI, the latter forwards the request to the Customer. The means made available to the Customer for this purpose are specified upon subscription.
7. Technical and organizational measures (Art. 32)
SymbiozAI implements the following measures:
- Multi-tenant isolation: partitioning of data by customer, supported by a database-level isolation mechanism (PostgreSQL Row-Level Security) on the CRM side.
- Encryption: encryption of access tokens (OAuth) and encryption in transit (TLS).
- Authentication of incoming flows: authentication of webhooks with constant-time comparison and rejection of unauthenticated requests.
- Human oversight: every outbound message is proposed, never sent without human validation.
- Audit log: traceability of actions (user, action, entity), with tamper-evidence properties on the CRM side.
- Minimization: excerpt of at most 200 characters transmitted to the artificial intelligence; logical deletion of data.
- No training: no model is trained on Customer Data, either by SymbiozAI or by the artificial-intelligence provider.
8. Personal data breach notification
SymbiozAI notifies the Customer without undue delay and no later than 48 hours after becoming aware of a breach affecting the Customer Data. The notification includes: the nature of the breach, the approximate categories and volumes of data and persons concerned, the likely consequences, the measures taken or proposed, and a dedicated contact point at SymbiozAI. SymbiozAI assists the Customer (the controller) in meeting its own 72-hour deadline vis-à-vis the supervisory authority (Art. 33) and, where applicable, in informing data subjects (Art. 34).
9. Fate of the data at the end of the contract
At the end of the services, at the Customer's choice: return (export) then deletion or anonymization of the Customer Data (and copies thereof), unless there is a legal retention obligation. Deletion takes place within 60 days following the end of the contract. The periods applicable during the relationship are specified in the retention policy.
10. Audit and demonstration of compliance
SymbiozAI makes available the reasonable documentation demonstrating its compliance. Audit arrangements: (a) reasonable notice of 30 days; (b) limited frequency (at most once a year, save for a proven incident or a request from an authority); (c) during business hours, without disrupting the Service; (d) scope limited to the processing of the relevant Customer's Customer Data, without ever giving access to the data or environments of other customers; (e) possible recourse to a third-party auditor bound by confidentiality; (f) audit costs borne by the Customer, save where a substantial non-compliance is revealed. As a priority, SymbiozAI responds through documentation (reports, security questionnaires) before any on-site audit.
11. Controller-to-controller part (enrichment and artificial intelligence)
By default, SymbiozAI acts as a data processor (Art. 28 GDPR) for ingestion, storage, the CRM, and the attribution of messages by artificial intelligence. For data enrichment (Apollo, Hunter, BrightData, INSEE/Pappers) and for certain artificial-intelligence processing operations, the qualification may amount to a controller-to-controller relationship or joint controllership, whereby SymbiozAI then determines all or part of the means and purposes. Where applicable, an arrangement setting out the allocation of responsibilities under Art. 26 GDPR is established and each party is answerable for its own obligations (legal basis, information, rights) for the part in which it acts as a controller.
12. International transfers
For any transfer outside the European Union / the EEA (in particular to Anthropic, in the United States), SymbiozAI puts in place the European Commission's Standard Contractual Clauses (SCCs) and the supplementary safeguards provided for in Chapter V of the GDPR. The location of each subprocessor is set out on the "List of subprocessors" page.
Annex A — Data scopes by ingestion channel
| Channel | Content stored | Unregistered sender | Transmitted to the artificial intelligence |
|---|---|---|---|
| 200-character preview | not stored | excerpt of at most 200 characters | |
| 200-character preview (+ name, profile URL) | not stored | excerpt of at most 200 characters | |
| Gmail | message body (up to 5,000 characters) + follow-up copy (up to 10,000 characters) + headers + recipients in copy | contact record created automatically | excerpt of at most 200 characters |
Annex B — Overview of subprocessors
| Subprocessor | Role | Location |
|---|---|---|
| Unipile | Messaging integration bridge (WhatsApp, LinkedIn) | European Union (France) |
| Anthropic | Language models (Claude): attribution and drafting of proposals | United States |
| Access to the Gmail / Calendar of the Customer's account (OAuth) | European Union / United States depending on the Customer's configuration | |
| DigitalOcean | Hosting of the infrastructure | European Union (Frankfurt) |
| WorkOS | Authentication / SSO | United States |
| Apollo, Hunter, BrightData, INSEE / Pappers | B2B data enrichment | European Union / outside the EU depending on the provider |
The reference list, kept up to date, is set out on the "List of subprocessors" page. For subprocessors established in or processing data outside the European Union, transfers are framed by the standard contractual clauses (SCCs) and appropriate safeguards.