Data processing agreement (DPA), art. 28 GDPR
Last updated : 2026-07-01
This data processing agreement (the "DPA") forms an integral part of Naskel's terms of sale and use. It governs the processing, by CONTRÉ Clément operating under the trade name CCFlow ("Naskel"), of personal data on behalf of its customer.
1. Roles of the parties
The customer is the data controller. Naskel (CCFlow) acts as a processor, on the customer's documented instructions. Each party complies with the GDPR and the French Data Protection Act for the part that concerns it.
2. Subject matter, duration, nature & purpose
The subject matter of the processing is the hosting and processing of the personal data required to provide the Naskel service (CRM, quotes, invoices, emails, calendar, AI assistance). The processing lasts for the duration of the subscription, plus the retention periods described in article 9.
3. Categories of data & data subjects
The processing concerns the data of the customer's contacts, clients and prospects: identity, contact details, content of email exchanges, appointments and associated notes. This data is processed solely on behalf of the customer.
4. Instructions
Naskel processes the data only on the customer's documented instructions, including for transfers. If an instruction appears to constitute a breach of the GDPR or another applicable provision, Naskel informs the customer without delay.
5. Confidentiality
Persons authorised to process the data are bound by a confidentiality obligation and access the data only to the extent strictly necessary.
6. Security (art. 32)
Naskel implements appropriate technical and organisational measures: AES-256 encryption at rest and TLS 1.3 in transit, encrypted secrets, multi-factor authentication (TOTP), daily encrypted backups and hosting in the European Union.
7. Subprocessors
The customer gives a general authorisation to the use of subprocessors. Naskel informs the customer of any change (addition or replacement) and gives them the opportunity to object on legitimate grounds. All personal data is hosted in the EU; note that the AI is provided by Mistral (EU) and trains no model on customer data.
- Vercel Inc.: Application hosting EU (Frankfurt, fra1). US company: standard contractual clauses (SCC).
- Neon Inc.: Database EU (eu-central-1). US company: standard contractual clauses (SCC).
- Mistral AI: Artificial-intelligence processing. No training on customer data. European Union (France).
- Stripe: Subscription payments EU / US, certified provider: standard contractual clauses (SCC).
- Resend: Transactional emails US: standard contractual clauses (SCC).
- PostHog: Product analytics (application) European Union.
- Google (API Gmail / Calendar): Reading the mailbox and calendar of the account the user connects themselves. Depending on the user's own account.
US-based providers (Vercel, Neon, Stripe, Resend) are covered by the European Commission's standard contractual clauses (SCC).
8. Assistance to the customer
Naskel assists the customer, as far as possible, in responding to data subject requests (access, rectification, erasure, portability, objection), with data breach notifications (art. 33, without undue delay) and with data protection impact assessments (DPIAs).
9. Fate of the data at the end of the contract
At the end of the contract, the customer can return (export) their data. The data is then deleted within 30 days (grace period), except for the audit log kept for 365 days and any data the law requires to be retained. Audio (voice) data is purged and the customer is deleted at the payment provider.
10. Audit
Naskel makes available to the customer the information necessary to demonstrate compliance with article 28 and allows reasonable audits, including by a third party mandated by the customer.
11. Transfers outside the EU
Personal data is hosted and processed in the European Union. For US-based subprocessors (Vercel, Neon, Stripe, Resend), any transfer or possible access is covered by standard contractual clauses (SCC). No transfer is made outside the safeguards provided for in article 46 of the GDPR.
12. Contact
"Data protection" point of contact: contact@naskel.io.