Data-Processing Agreement (DPA)

Last updated: 13 May 2025

Plain-language note – This DPA describes how MATRIX processes personal data on behalf of its customers when they use the services available at datamonkeyz.com (the “Services”). It is a simplified rewrite of the original legal text. Please have qualified counsel review any final version before signature.

---

1. Parties

MATRIX — single-shareholder simplified joint-stock company (SASU) registered in France,
SIREN 991 729 658,
SIRET (registered office) 991 729 658 00013,
registered with the Paris Trade and Companies Register under number 991 729 658 R.C.S. Paris,
VAT number FR39991729658,
share capital €500,
registered office: 60 rue François 1er, 75008 Paris, France
("MATRIX", "Processor", "we/us").

Customer — any natural or legal person that subscribes to the Services
("Customer", "Controller", "you").

Together we are the Parties and each a Party.

This DPA replaces any earlier data-processing clauses between the Parties.

---

2. Scope & roles

• The Customer determines why and how personal data are processed and therefore acts as Data Controller under the EU General Data Protection Regulation (GDPR).
• MATRIX processes those data strictly on the Customer’s documented instructions and therefore acts as Processor.
• When MATRIX processes its own business contacts (e.g. Customer representatives for support or billing), it acts as an independent Controller.

---

3. Definitions

Term	Meaning
Personal Data	Any information about an identified or identifiable person that the Customer uploads to or collects via the Services.
Processing	Any operation performed on Personal Data (collection, storage, analysis, deletion, etc.).
Personal-data breach	A security incident that leads to accidental or unlawful loss, alteration, disclosure of or access to Personal Data.

---

4. Details of the processing

• Types of data – Contact details (name, email, phone, etc.), login credentials, location data, preferences and any other information the Customer chooses to collect with our crawlers.
• Data subjects – Natural persons chosen by the Customer (customers, prospects, staff, suppliers, etc.).
• Purpose – Operating the Services, i.e. automated, recurring collection of publicly available online data (via crawlers) and related automation features such as sending messages through third-party platforms.
• Duration – For the term of the main service contract plus up to six (6) months, unless longer storage is required by law or agreed in writing.

---

5. Customer obligations (Controller)

The Customer shall:

1. Provide lawful instructions and ensure they do not involve special-category data unless explicitly agreed.
2. Verify MATRIX’s compliance with GDPR (including by audit on 15 days’ notice, during business hours and at Customer’s expense).
3. Implement appropriate security on its own systems and credentials.
4. Inform data subjects and obtain any required consent for the envisaged processing.
5. Handle data-subject requests (access, erasure, portability, etc.).
6. Maintain a record of processing activities in its capacity as Controller.

---

6. MATRIX obligations (Processor)

MATRIX shall:

1. Process data only on documented instructions unless EU or French law requires otherwise (in which case we will inform you unless prohibited).
2. Apply data-protection-by-design and by default in our tools.
3. Keep data confidential and ensure staff and sub-processors are bound by the same duty.
4. Implement appropriate technical and organisational measures (encryption, access control, logging, backups, etc.) to protect Personal Data. Details are available on request.
5. Notify the Customer of any personal-data breach without undue delay and, in any event, within 48 hours of discovery, providing sufficient information to meet regulatory duties.
6. Assist the Customer, insofar as possible, with:
   • responding to data-subject requests,
   • performing data-protection-impact assessments,
   • consulting supervisory authorities,
   • breach notifications.
7. Delete or return data within six (6) months after contract end, unless law requires retention or the Customer requests a shorter or longer period.
8. Maintain a register of processing activities carried out on behalf of the Customer.

Sub-processing

• A list of MATRIX’s current sub-processors (e.g. hosting, payment, CRM providers) is available at datamonkeyz.com/legal/sub-processors.
• MATRIX will notify the Customer of any change at least 15 calendar days in advance. The Customer may object by terminating the affected service within that period; unused prepaid fees will be refunded.
• MATRIX imposes the same data-protection obligations on every sub-processor. Transfers outside the EEA rely on EU-approved Standard Contractual Clauses or other lawful mechanisms. MATRIX remains fully liable for each sub-processor’s performance.

---

7. Supervisory authority cooperation

Each Party will cooperate with the competent data-protection authority (the CNIL in France) upon request.

---

8. Data-protection officer

MATRIX can be contacted for data-protection matters at
simon.rochwerg.pro@gmail.com
or at the registered office address stated above.

If the Customer has appointed a Data Protection Officer, it shall communicate the contact details to MATRIX.

---

9. Precedence & changes

This DPA supplements the general terms of service. In the event of conflict, this DPA prevails.

MATRIX may update this DPA to reflect legal or technical changes. The updated version will be published on datamonkeyz.com with at least 30 days’ prior notice. The Customer may terminate the Services free of charge within that period.

---

10. Acceptance

By entering into the main service agreement or by continuing to use the Services after the notice period, the Parties are deemed to have accepted this DPA.