DPA & CCPA
Last updated: Aug 6, 2025
This Data Processing Agreement (the “DPA”) is entered between BETTERCONTACT, a French simplified joint stock company, with its registered office at 11 rue du Puits Gaillot, 69001, Lyon, France, registered with the Lyon Registry of companies under company number 882 799 372 (hereinafter, “BetterContact”) and any client company subscribing to BetterContact’s web-based services and, in doing so, instructing BetterContact to process personal data on its behalf as a data processor within the meaning of applicable data protection laws (hereinafter to “Client”).
In this context, BetterContact shall process personal data on behalf of theClient, who acts as the data controller. BetterContact shall act solely on the documented instructions of the Client and in accordance with its role as a data processor.
For the purposes of this DPA, the terms “processing”, “data controller”, “data processor”, “data subject”, and “personal data” shall have the meanings given to them under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”).
1. Description of the data processing activities
BetterContact is authorized to process on behalf of the Client the personal data necessary for the following processing purposes:
- Enabling Client to manage and monitor commercial leads through the functionalities of the web services provided by BetterContact ;
- Sourcing, organization, storage, and tracking of Client’s leads throughout their lifecycle.
Nature of processing: Storage, consultation, modification and erasure.
Types of personal data processed: Identification and personal data about professional activities.
Categories of persons concerned: Client’s leads and prospects acting as professionals.
Duration of processing: All personal data will be deleted at the end of the contract between BetterContact and the Client. However, the Client is free to delete the data via their administrator area on the web application.
2. General obligations of BetterContact as a data processor under the GDPR
In its capacity as data processor, BetterContact undertakes to implement all appropriate technical and organizational measures to support the Client in ensuring compliance with the GDPR and all other applicable data protection laws and regulations. To this end, BetterContact agrees to:
- Process personal data strictly as necessary for the performance of the web services provided to the Client and, in all cases, solely on the basis of the Client’s prior written and documented instructions ;
- Promptly inform the Client if, in its opinion, any instruction infringes applicable data protection laws, and suspend execution of such instruction until the Client has confirmed, amended, or withdrawn it;
- Ensure that all persons authorized to access personal data are bound by a confidentiality obligation, are made aware of the Client’s documented instructions, and process the data strictly in accordance with such instructions;
- Provide appropriate training on data protection obligations to any personnel authorized to process personal data;
- Refrain from disclosing, transferring, leasing, or otherwise making personal data accessible to any third party, in whole or in part, even free of charge, and shall not use the personal data for any purpose other than those expressly set out in this DPA, including, without limitation, for commercial, marketing, or prospecting purposes;
- Assist the Client, where applicable and to the extent required by law, in carrying out data protection impact assessments;
- Cooperate with the Client, where applicable, in connection with any prior consultation with the competent supervisory authority.
3. Sub-processors and international data transfers
BetterContact may engage certain third-party service providers to act as sub-processors, who may access, and process personal data entrusted by the Client to BetterContact, solely for the purpose of delivering services that are necessary to the operation of BetterContact’s web-based platform (including, but not limited to, hosting and cloud services providers).
The current list of approved sub-processors is provided in Appendix A of this Agreement.
Some of these sub-processors may be located outside the European Economic Area (EEA), including in the United States. In such cases, BetterContact shall ensure that appropriate safeguards are in place in accordance with GDPR. In particular:
- Transfers of personal data shall only be made to service providers that are certified under the EU-U.S. Data Privacy Framework, or
- Where applicable, BetterContact shall enter into Standard Contractual Clauses (SCCs) adopted by the European Commission with the relevant sub-processor, supplemented by additional safeguards as necessary.
BetterContact further undertakes to implement all measures necessary to ensure that any international transfer of personal data complies with the applicable requirements of the GDPR, and in particular that such transfer is based on appropriate safeguards and enforceable data subject rights.
BetterContact reserves the right to engage new sub-processors or replace existing ones during the term of the DPA. In such cases, BetterContact shall notify the Client in writing of any intended changes, including the identity and processing activities of the new sub-processor. The Client shall have one (1) month from receipt of the notice to raise any reasoned objections. In the absence of objections within this timeframe, the sub-processing shall be deemed accepted.
BetterContact shall ensure that any sub-processor it appoints is bound by a written agreement imposing data protection obligations no less protective than those set forth in this DPA. BetterContact shall remain fully liable to the Client for the performance of the obligations of its sub-processors.
4. Right to information and exercise of rights by data subjects
Client remains solely responsible for ensuring that all necessary information notices are provided to data subjects whose personal data it collects or processes through BetterContact’s web services. The Client warrants that it has fulfilled, and will continue to fulfil, all applicable transparency obligations under Articles 13 and 14 of the GDPR.
BetterContact shall provide reasonable assistance to the Client, to the extent required by the nature of the processing, in responding to data subject requests to exercise their rights under GDPR, including the rights of access, rectification, erasure, objection, restriction of processing, and data portability.
Where data subjects submit such requests directly to BetterContact, BetterContact shall :
- promptly forward them to the Client by email to the contact address specified in the Client’s account ;
- ensure that it does not respond to that request except on the documented instructions of Clientor as required by applicable laws to which BetterContact is subject, in which case BetterContact shall to the extent permitted by applicable laws inform Client of that legal requirement before responding to such request.
- Security & notification of personal data breaches
During the term of the DPA, the parties shall take all appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, deterioration, unauthorized disclosure or access, in particular during the process of data transmission over a network, and against any unlawful processing.
In assessing the appropriate level of security, BetterContact shall take account in particular of the risks that are presented by processing, in particular from a personal data breach.
BetterContact shall notify Client without undue delay upon becoming aware of a personal data breach affecting personal data for which Client act as a data controller, providing Client with sufficient information to allow the Client to meet any obligations to report or inform data subjects of the personal data breach under GDPR.
This notification shall be accompanied by any useful documentation to enable the Client, if necessary, to notify the competent supervisory authority of the breach. BetterContact shall co-operate with the Client and take reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such personal data breach.
6. Assistance and Audit
BetterContact shall make available to the Client on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the processing of the personal data.
However, it is specified that these audits will be carried out at the Client’s expense and strictly limited to the audit of the measures taken in relation to the protection of personal data, within the limit of one audit per year notified reasonably in advance to BetterContact.
7. Deletion or return of Client’s personal data
BetterContact undertakes to delete all data at the end of the contract concluded with the Client. BetterContact will destroy all existing copies in BetterContact’s information systems.
However, the Client may freely delete the data via their administrator area on the web services in order to comply with the retention periods applicable under GDPR.
8. Client obligations towards BetterContact
The Client undertakes to:
- document in writing any additional instructions to the provisions of this DPA;
- ensure, in advance and throughout the processing period, compliance with the obligations set out in the GDPR;
- supervise the processing, including conducting audits and inspections of BetterContact.
APPENDIX A – SUB PROCESSORS
| Sub-Processor | Sub-Processor Activities | Sub-Processor location |
| Amazon Web Services, Inc. | Cloud Service Provider | United States (servers located in EU) |
| Heroku | Cloud Service Provider | United States (servers located in EU) |
| PostHog | Product Analytics | United States (Certified under DPF) |