Data Processing Agreement

1. Definitions

Terms not defined in this DPA have the meanings given in the Terms. In addition:

• "Customer Data" means any personal data that Customer or its authorized users submit to the Services for processing.
• "Data Protection Laws" means GDPR, the French Data Protection Act, and any other applicable data protection legislation.
• "Personal Data", "Data Controller", "Data Processor", "Data Subject", "Processing", "Personal Data Breach", and "Sub-Processor" have the meanings given in GDPR.
• "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission Decision (EU) 2021/914 of 4 June 2021.

2. Scope and Roles

2.1 Roles

Customer is the Data Controller. OpenCream is the Data Processor. OpenCream processes Customer Data solely on behalf of Customer and in accordance with Customer's documented instructions.

2.2 Subject Matter and Duration

OpenCream processes Customer Data for the duration of Customer's subscription to the Services, plus the 30-day post-termination retention period described in the Terms.

2.3 Nature and Purpose of Processing

The processing is necessary to provide the Services, which include:

• Receiving, storing, and organizing customer relationship data (contacts, accounts, interactions, projects)
• Processing business communications (emails, voice note transcriptions, Telegram messages, meeting notes, documents) through AI systems to extract structured business data
• Generating AI outputs (summaries, action items, email drafts, relationship insights, competitive intelligence, market analysis)
• Sending notifications and briefings to authorized users
• Providing pipeline management, task management, and reporting functionality

2.4 Types of Personal Data

The following categories of personal data may be processed:

• Contact information: names, email addresses, phone numbers, job titles, company names
• Business communication content: email bodies, voice note transcriptions, meeting notes, Telegram messages
• Interaction records: meeting dates, communication logs, project notes
• Account data: authorized user names, email addresses, login credentials (hashed)
• Usage data: IP addresses, browser type, feature usage patterns, timestamps

2.5 Categories of Data Subjects

• Customer's business contacts and prospects (third-party individuals)
• Customer's employees and authorized users
• Individuals referenced in business communications processed by the Services

3. Processor Obligations

3.1 Processing Instructions

OpenCream shall process Customer Data only on documented instructions from Customer, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law to which OpenCream is subject. In such case, OpenCream shall inform Customer of that legal requirement before processing, unless prohibited by law.

The Terms, this DPA, and Customer's use and configuration of the Services constitute Customer's complete documented instructions for processing.

3.2 Confidentiality

OpenCream shall ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

OpenCream shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: TLS/HTTPS for all data in transit; database encryption at rest
• Tenant isolation: Database-level row-level security (RLS) policies enforcing logical data isolation between Tenants
• Access control: Role-based access control; JWT-based authentication with token expiry
• AI security: Prompt injection detection and sanitization; AI output validation; tool execution safety levels requiring human approval for external communications
• Audit logging: Immutable audit logs of all significant data access, processing events, and security events
• Rate limiting: Per-endpoint rate limiting to prevent abuse
• Infrastructure: Non-root Docker containers; internal-only database and cache access; security headers (CSP, HSTS, X-Frame-Options)
• Backup: Daily encrypted database backups with 30-day retention
• Monitoring: Server monitoring and alerting; security event logging

3.4 Sub-Processors

3.4.1 General Authorization

Customer grants OpenCream general written authorization to engage sub-processors for the processing of Customer Data. The current list of sub-processors is set out in Annex B and maintained at corial.app/legal/subprocessors.

3.4.2 Notification of Changes

OpenCream shall notify Customer at least 30 days in advance of any intended addition or replacement of sub-processors, giving Customer the opportunity to object. Notification will be sent to the email address associated with Customer's account.

3.4.3 Right to Object

If Customer objects to a new sub-processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached within 30 days, Customer may terminate the affected Services without penalty by providing written notice.

3.4.4 Sub-Processor Obligations

OpenCream shall impose on each sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. OpenCream shall remain fully liable to Customer for the performance of each sub-processor's obligations.

3.5 Data Subject Rights

OpenCream shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising Data Subjects' rights under Chapter III of GDPR (access, rectification, erasure, restriction, portability, objection).

If OpenCream receives a request directly from a Data Subject, OpenCream shall promptly notify Customer and shall not respond to the request itself unless instructed by Customer or required by applicable law.

3.6 Assistance with Compliance

OpenCream shall assist Customer in ensuring compliance with the following obligations, taking into account the nature of processing and the information available to OpenCream:

• Security of processing (GDPR Art. 32)
• Notification of personal data breaches to the supervisory authority and to Data Subjects (GDPR Arts. 33 and 34)
• Data protection impact assessments (GDPR Art. 35)
• Prior consultation with the supervisory authority (GDPR Art. 36)

4. Personal Data Breach

4.1 Notification

OpenCream shall notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Data. This timeline is designed to enable Customer to meet the 72-hour notification obligation to the supervisory authority under GDPR Art. 33.

4.2 Breach Information

The notification shall include, to the extent available:

• A description of the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned
• The name and contact details of OpenCream's privacy contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

4.3 Cooperation

OpenCream shall cooperate with Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

5. International Data Transfers

5.1 Processing Locations

Customer Data is primarily processed and stored in the European Union (Germany, via Hetzner Online GmbH).

5.2 Transfers Outside the EEA

Where Customer Data is transferred to sub-processors located outside the European Economic Area, OpenCream ensures appropriate safeguards are in place:

5.3 Transfer Impact Assessment

OpenCream has conducted a Transfer Impact Assessment (TIA) for each transfer to a country without an EU adequacy decision, assessing the legal framework of the recipient country and the supplementary measures in place. Supplementary measures include:

• Encryption of all data in transit (TLS 1.2+)
• No persistent storage of Customer Data by AI providers (Anthropic, Google, Deepgram) beyond the duration of individual API request processing
• Contractual prohibitions on provider use of Customer Data for model training or purposes other than providing the contracted service
• Data minimization: only the data necessary for the specific processing task is transmitted

5.4 Standard Contractual Clauses

To the extent that the transfer of Customer Data is subject to the SCCs, the parties agree that the SCCs (EU Commission Decision 2021/914) are hereby incorporated by reference. The applicable module, data exporter, data importer, and supplementary measures for each transfer are as described in this Section 5.

6. Audit Rights

6.1 Information and Audit

OpenCream shall make available to Customer all information necessary to demonstrate compliance with this DPA and GDPR Art. 28, and shall allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.

6.2 Audit Procedure

Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt OpenCream's operations. Customer shall bear the costs of any audit, except where the audit reveals material non-compliance by OpenCream.

6.3 Third-Party Certifications

OpenCream may satisfy audit requests by providing relevant third-party audit reports or certifications (such as SOC 2 Type II or ISO 27001), where available. Customer retains the right to conduct its own audit if third-party reports are insufficient to address specific concerns.

7. Deletion and Return of Data

7.1 During the Subscription

Customer may request export of Customer Data at any time during the subscription period by contacting privacy@corial.app.

7.2 Upon Termination

Upon termination or expiry of the Services, OpenCream shall:

• Retain Customer Data for 30 days to allow Customer to export data
• After the 30-day period, permanently delete all Customer Data from its systems, including all backups, within 90 days
• Provide written confirmation of deletion upon Customer's request

7.3 Exceptions

OpenCream may retain Customer Data beyond the deletion timeline where required by applicable EU or Member State law. In such cases, OpenCream shall inform Customer of the legal requirement and limit processing to what is required by law.

8. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms. This DPA does not limit either party's liability for breaches of Data Protection Laws to the extent such limitation would be prohibited by applicable law.

9. General

9.1 Precedence

In the event of any conflict between this DPA and the Terms, this DPA shall prevail with respect to the processing of personal data.

9.2 Amendments

OpenCream may update this DPA to reflect changes in Data Protection Laws or processing practices. Material changes will be notified to Customer at least 30 days in advance.

9.3 Governing Law

This DPA is governed by and construed in accordance with the laws of France.

Annex A — Details of Processing

Annex B — List of Sub-Processors

Effective as of March 27, 2026. An up-to-date version is maintained at corial.app/legal/subprocessors.

Annex C — Technical and Organizational Security Measures

Infrastructure Security

• Application hosted on dedicated virtual private server (Hetzner, Germany)
• Docker containerization with non-root user execution
• PostgreSQL database accessible only within internal Docker network (no external exposure)
• Redis cache requires authentication and is not externally accessible
• Caddy reverse proxy with automatic TLS certificate management
• Security headers: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options

Data Isolation

• PostgreSQL Row-Level Security (RLS) policies on all tenant-scoped tables
• Application-level tenant context enforcement (belt-and-suspenders approach)
• AI processing scoped to single tenant context; no cross-tenant data sharing
• Semantic search (pgvector) enforces tenant boundaries

Access Control

• JWT-based authentication with 8-hour token expiry
• Role-based access control (platform admin, tenant admin, user, readonly)
• Rate limiting per endpoint category (authentication, AI, CRUD, webhooks)

AI Security

• Input sanitization and prompt injection detection on all untrusted data
• AI output validation before delivery to users
• Tool execution safety levels: destructive actions blocked, external communications require human approval
• AI cost guards with per-tenant daily token limits

Encryption

• TLS/HTTPS for all data in transit (enforced by Caddy)
• API keys and sensitive credentials encrypted at rest using Fernet symmetric encryption
• Database credentials managed via environment variables, never committed to source control

Monitoring and Audit

• Immutable audit log of all significant events (authentication, data access, AI tool execution, security events)
• Server monitoring and alerting
• Security event logging for injection detection, cross-tenant access attempts, rate limit violations

Backup and Recovery

• Daily automated database backups
• 30-day backup retention
• Backup restoration tested periodically

Personnel

• Access to production systems limited to authorized OpenCream personnel
• All personnel with access to Customer Data are bound by confidentiality obligations

OpenCream SAS
15 Avenue Marie-Amélie
60500 Chantilly, France
Email: privacy@corial.app