SymbiozAI — Legal information
ENFR

Last updated: July 3, 2026

Data Processing Agreement (DPA)

This Data Processing Agreement (the "DPA") governs the processing of personal data carried out by SymbiozAI SASU (SIREN 103 609 244, registered office in Lyon 69003, France), as a data processor, on behalf of its customers, as data controllers. It forms an integral part of the Terms of Service and applies as from subscription to the Service.


1. Definitions

The terms Data controller, Data processor, Subprocessor, Data subject, Personal data, and Personal data breach have the meaning given to them by the GDPR (EU Regulation 2016/679). "Customer Data" means the personal data processed by SymbiozAI on behalf of the Customer through the Service.


2. Subject matter, duration, nature, and purpose of the processing


3. Instructions of the data controller

SymbiozAI processes Customer Data only on the documented instructions of the Customer (this DPA and the use of the Service constitute instructions). SymbiozAI informs the Customer if an instruction appears to it to be contrary to the GDPR.


4. SymbiozAI's obligations as a data processor

SymbiozAI: (a) guarantees confidentiality (authorized personnel, confidentiality undertaking); (b) implements appropriate security measures (Art. 32, see §7); (c) complies with the conditions for engaging subprocessors (§5); (d) assists the Customer with data subjects' requests (§6) and with its obligations (Arts. 32 to 36); (e) notifies any personal data breach (§8); (f) at the Customer's choice, deletes or returns the data at the end of the contract (§9); (g) makes available the information necessary to demonstrate its compliance and submits to audits (§10).


5. Subprocessors

The Customer authorizes the engagement of the subprocessors listed on our dedicated public page. SymbiozAI imposes on each of them a written contract containing obligations that are substantially equivalent to and no less protective than those set out herein, and remains liable for their performance.

Transparency arrangements: (a) a public list of subprocessors kept up to date; (b) prior notice of at least 30 days before the addition or replacement of a subprocessor; (c) a right of objection for the Customer within 30 days on legitimate grounds relating to data protection.

An overview of the subprocessors is set out in Annex B; the reference list, kept up to date, is published on the "List of subprocessors" page.


6. Assistance with data subjects' requests

SymbiozAI assists the Customer in responding to requests to exercise rights (access, rectification, erasure, objection, restriction). Data subjects exercise their rights with the Customer (the data controller); if they address SymbiozAI, the latter forwards the request to the Customer. The means made available to the Customer for this purpose are specified upon subscription.


7. Technical and organizational measures (Art. 32)

SymbiozAI implements the following measures:


8. Personal data breach notification

SymbiozAI notifies the Customer without undue delay and no later than 48 hours after becoming aware of a breach affecting the Customer Data. The notification includes: the nature of the breach, the approximate categories and volumes of data and persons concerned, the likely consequences, the measures taken or proposed, and a dedicated contact point at SymbiozAI. SymbiozAI assists the Customer (the controller) in meeting its own 72-hour deadline vis-à-vis the supervisory authority (Art. 33) and, where applicable, in informing data subjects (Art. 34).


9. Fate of the data at the end of the contract

At the end of the services, at the Customer's choice: return (export) then deletion or anonymization of the Customer Data (and copies thereof), unless there is a legal retention obligation. Deletion takes place within 60 days following the end of the contract. The periods applicable during the relationship are specified in the retention policy.


10. Audit and demonstration of compliance

SymbiozAI makes available the reasonable documentation demonstrating its compliance. Audit arrangements: (a) reasonable notice of 30 days; (b) limited frequency (at most once a year, save for a proven incident or a request from an authority); (c) during business hours, without disrupting the Service; (d) scope limited to the processing of the relevant Customer's Customer Data, without ever giving access to the data or environments of other customers; (e) possible recourse to a third-party auditor bound by confidentiality; (f) audit costs borne by the Customer, save where a substantial non-compliance is revealed. As a priority, SymbiozAI responds through documentation (reports, security questionnaires) before any on-site audit.


11. Controller-to-controller part (enrichment and artificial intelligence)

By default, SymbiozAI acts as a data processor (Art. 28 GDPR) for ingestion, storage, the CRM, and the attribution of messages by artificial intelligence. For data enrichment (Apollo, Hunter, BrightData, INSEE/Pappers) and for certain artificial-intelligence processing operations, the qualification may amount to a controller-to-controller relationship or joint controllership, whereby SymbiozAI then determines all or part of the means and purposes. Where applicable, an arrangement setting out the allocation of responsibilities under Art. 26 GDPR is established and each party is answerable for its own obligations (legal basis, information, rights) for the part in which it acts as a controller.


12. International transfers

For any transfer outside the European Union / the EEA (in particular to Anthropic, in the United States), SymbiozAI puts in place the European Commission's Standard Contractual Clauses (SCCs) and the supplementary safeguards provided for in Chapter V of the GDPR. The location of each subprocessor is set out on the "List of subprocessors" page.


Annex A — Data scopes by ingestion channel

Channel Content stored Unregistered sender Transmitted to the artificial intelligence
WhatsApp 200-character preview not stored excerpt of at most 200 characters
LinkedIn 200-character preview (+ name, profile URL) not stored excerpt of at most 200 characters
Gmail message body (up to 5,000 characters) + follow-up copy (up to 10,000 characters) + headers + recipients in copy contact record created automatically excerpt of at most 200 characters

Annex B — Overview of subprocessors

Subprocessor Role Location
Unipile Messaging integration bridge (WhatsApp, LinkedIn) European Union (France)
Anthropic Language models (Claude): attribution and drafting of proposals United States
Google Access to the Gmail / Calendar of the Customer's account (OAuth) European Union / United States depending on the Customer's configuration
DigitalOcean Hosting of the infrastructure European Union (Frankfurt)
WorkOS Authentication / SSO United States
Apollo, Hunter, BrightData, INSEE / Pappers B2B data enrichment European Union / outside the EU depending on the provider

The reference list, kept up to date, is set out on the "List of subprocessors" page. For subprocessors established in or processing data outside the European Union, transfers are framed by the standard contractual clauses (SCCs) and appropriate safeguards.