Draft — initial text, undergoing legal review. Clauses may change.

Legal document

Data processing agreement

Last updated: May 1, 2026

This Data Processing Agreement (« DPA ») is entered into between FerrLabsProcessor ») and the customer identified in the FerrLabs account or in the order form (« Controller ») and forms an integral part of the Terms of service. It governs the processing of personal data on behalf of the Controller in connection with the FerrLabs SaaS products (FerrVault, FerrTrack, FerrGrowth, and the cloud-side features of FerrFlow).

This DPA is provided as a pre-signed offer: by activating a paid plan or by uploading Customer personal data into a product, the Controller accepts this DPA. A counter-signed copy can be requested at dpo@ferrlabs.com.

1. Definitions

Capitalised terms have the meaning given in the GDPR (Regulation EU 2016/679). "Customer Personal Data" means personal data submitted by the Controller or its end-users to the FerrLabs SaaS products and processed by FerrLabs on the Controller's behalf.

2. Subject matter and duration

FerrLabs processes Customer Personal Data solely to provide the contracted services, for the duration of the active subscription, and during the post-termination grace period (30 days for export).

3. Categories of data subjects and personal data

The processing typically concerns:

  • Data subjects: the Controller's employees, contractors, partners, end-users.
  • Categories of data: identification (name, email, role), authentication credentials (password hashes, session tokens), professional content uploaded by the Controller (vaults secrets, issues, page content, form submissions), connection metadata (IP fingerprints, user agents, timestamps).
  • Special categories: none. The Controller undertakes not to upload special-category personal data (Article 9 GDPR) into the products without a separate written agreement.

4. Processor obligations

FerrLabs commits to:

  • Process Customer Personal Data only on the documented instructions of the Controller (the configuration of the products through the user interface and APIs constitutes such instructions);
  • Ensure that personnel authorised to access Customer Personal Data are bound by confidentiality obligations;
  • Implement appropriate technical and organisational measures (see security);
  • Engage subprocessors only under written agreements imposing equivalent data-protection obligations (see subprocessors);
  • Assist the Controller in fulfilling data-subject requests (Articles 15-22 GDPR), security obligations (Articles 32-36 GDPR), and impact assessments where applicable (Articles 35-36 GDPR);
  • Notify the Controller without undue delay (within 72 hours) of any personal data breach, with the information required by Article 33(3) GDPR;
  • At the Controller's choice, return or delete Customer Personal Data at the end of the contract, subject to retention obligations imposed by law.

5. Subprocessing

The Controller authorises FerrLabs to engage the subprocessors listed on the subprocessors page. FerrLabs notifies the Controller of any new subprocessor at least 30 days before activation; the Controller may object on legitimate grounds within that window.

6. Cross-border transfers

Customer Personal Data is stored and processed in the European Union by default. Some subprocessors may process limited data outside the EU (notably Stripe in the US for payment processing). FerrLabs ensures that any such transfer is governed by an adequate transfer mechanism: EU-US Data Privacy Framework adequacy decision, Standard Contractual Clauses (Module 3 — processor to processor), or other safeguards under Chapter V GDPR.

7. Security measures

FerrLabs implements at minimum:

  • Encryption in transit (TLS 1.3) and at rest (storage-layer encryption, plus per-vault encryption for FerrVault secrets);
  • Strong authentication (argon2id password hashing, signed JWT sessions, optional 2FA);
  • Network isolation (private cluster network, ingress only on documented endpoints);
  • Logical separation between Controllers (multi-tenant isolation enforced at the application and database layers);
  • Backups with documented restore tests;
  • Continuous logging of administrative actions, with restricted access;
  • Vulnerability monitoring and patch management.

Detailed measures are described on the security page.

8. Audit and information rights

The Controller may request, no more than once per year (or upon reasonable suspicion of a breach), reasonable information demonstrating compliance with this DPA. FerrLabs will respond within 30 days. On-site audits are reserved to Controllers under Enterprise contract and are subject to a separate scope and confidentiality agreement.

9. Liability

Liability under this DPA is subject to the limitations of the Terms of service. Statutory liability for personal data breaches is allocated as provided by Article 82 GDPR.

10. Contact

Data protection officer / privacy contact: dpo@ferrlabs.com.

French version: Accord de sous-traitance.