Mentions légales et confiance

Data Processing (DPA Outline)

The outline of the data processing agreement (DPA) used for B2B engagements where Rexora processes personal data on a client's behalf. The signed DPA for each engagement prevails.

Version de travail opérationnelle — relecture par le propriétaire / un juriste requise. Ce texte est un projet préparé pour relecture et ne constitue pas encore un avis juridique validé. En cas de divergence, la version anglaise prévaut (English version prevails).

1. Roles

The client is the controller of its business data; Rexora acts as processor for the agreed workflows. Where Rexora processes its own correspondence and contracts, it acts as an independent controller.

2. Scope and instructions

Processing is limited to the categories of data and purposes listed in the engagement's processing annex.
Workflows process only the fields needed for the purpose (data minimisation by design).
Processing follows the client's documented instructions; changes require written agreement.

3. Subprocessors

Third-party tools (e.g. hosting, AI model providers, automation platforms) used in a workflow are listed per engagement and approved by the client before use.
EU-hosted options are preferred wherever the stack allows it; transfers outside the EU/EEA happen only with valid transfer mechanisms.

4. Security measures

Access on a need-to-know basis, scoped credentials, no shared accounts.
Client content is not used to train models.
Demo and test data is ephemeral and deleted after use.
Client content is kept out of application logs by design.

5. Retention and deletion

Retention periods are agreed per engagement. On termination or on request, personal data is deleted or returned, and deletion is confirmed in writing.

6. Incidents and audits

Personal data breaches are notified to the client without undue delay. The client may audit compliance as agreed in the DPA (typically via documentation and written answers first).

Tous les documents juridiques