Data Processing Agreement (DPA)
- This DPA is concluded between you (the Controller) and ZEVRA (the Processor), in accordance with Article 28 of the GDPR.
- It applies to all Zevra Store tools and to Studio services involving third parties' personal data.
- ZEVRA only processes your data on your documented instructions and strictly within the scope of the contracted services.
- Your data is protected by TLS 1.2+ encryption, access control (RBAC), encrypted backups and logging.
- Any data breach is notified to you within 72 hours.
- At the end of the contract, your data is returned or securely destroyed, with a certificate.
- Sub-processors (Vercel, Anthropic, OpenAI, Google, DILA) are listed in Appendix A together with their transfer safeguards.
Preamble — Parties and scope
This Data Processing Agreement (hereinafter the "DPA") is concluded between the following parties:
Identification of the parties
- Controller
- The Client, a natural or legal person who has subscribed to Zevra's services.
- Processor
- ZEVRA, a French simplified joint-stock company (SAS) with share capital of 1,000 euros
- Registration
- Toulon Trade and Companies Register — SIREN 101 202 216
- Registered office
- Le Pradet (83), France
- Contact
- contact@zevra.tech
- Legal representative
- Alexis Deborde, President
Scope
This DPA applies to all of the following services when they involve the processing of third parties' personal data:
- Store tools: MCP Factory, Supernovia, Lexform Pro, Plume
- Custom development: any development project carried out by ZEVRA on behalf of the Client
- Studio services: engagements involving the processing of third parties' personal data
This DPA supplements ZEVRA's General Terms of Sale and Use (GTSU) and is inseparable from them.
Article 1 — Definitions
For the purposes of this DPA, the following terms have the meaning given to them below:
- Personal data
- Any information relating to an identified or identifiable natural person, within the meaning of Article 4.1 of the GDPR.
- Processing
- Any operation or set of operations performed on personal data, within the meaning of Article 4.2 of the GDPR (collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, destruction, etc.).
- Personal data breach
- Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Sub-processor
- Any third-party processor engaged by ZEVRA to carry out all or part of the processing performed on behalf of the Client.
- GDPR
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
Article 2 — Subject matter and duration
2.1 Subject matter
This DPA sets out the conditions under which ZEVRA processes personal data on behalf of the Client, exclusively in the context of performing the services provided for in the main Contract.
ZEVRA acts as a processor within the meaning of Article 28 of the GDPR. It only processes personal data on the Client's documented instructions, unless required otherwise by law.
2.2 Duration
This DPA takes effect on the date services are subscribed to and remains in force for the entire duration of the main Contract.
On the expiry or termination of the main Contract, ZEVRA deletes or returns the personal data in accordance with the terms set out in Article 9.
ZEVRA does nothing with your data beyond what is needed to provide you with the services. As soon as the contract ends, your data disappears — unless you request its return.
Article 3 — Nature, purposes, types of data and categories of persons
The table below describes the characteristics of the processing carried out by ZEVRA on behalf of the Client:
| Dimension | Detail |
|---|---|
| Nature of operations | Storage, analysis, transformation, generation, pseudonymization, search |
| Purposes of processing | Provision of the contracted services: analysis of legal documents, content generation, legal research, pseudonymization of exhibits, AI-powered assistance |
| Types of data processed | Identity of parties to disputes or deeds, procedural data, legal case files, data relating to employees or third parties, professional contact details |
| Special categories (Art. 9 GDPR) | Criminal offenses and convictions, health data, trade-union data — the Client remains solely responsible for the lawfulness of these sensitive processing operations |
| Categories of data subjects | Parties to legal proceedings, the Client's clients, employees, third parties mentioned in legal deeds or documents |
If your case files contain special categories of data (health data, criminal offenses, trade-union membership — Art. 9 GDPR), you are solely responsible for the legal basis authorizing their processing. ZEVRA does not verify the lawfulness of such processing and cannot substitute itself for you in this respect.
Article 4 — ZEVRA's obligations
In its capacity as processor, ZEVRA undertakes to comply with the following eight core obligations:
4.1 Documented instructions
ZEVRA only processes personal data on the basis of the Client's documented instructions. In the absence of instructions, no processing is carried out, unless required by law.
4.2 Staff confidentiality
ZEVRA ensures that persons authorized to process personal data are bound by an appropriate confidentiality obligation or by a statutory duty of confidentiality.
4.3 Security measures
ZEVRA implements the technical and organizational measures set out in Article 5 to ensure a level of security appropriate to the risk.
4.4 Sub-processors
ZEVRA complies with the conditions for engaging sub-processors set out in Article 6, in particular the Client's prior information and right to object.
4.5 Assistance with data subject rights
ZEVRA assists the Client, as far as possible, in handling data subjects' requests to exercise their rights: access, rectification, erasure, portability, objection.
4.6 Security and compliance assistance
ZEVRA helps the Client ensure compliance with obligations relating to security, data protection impact assessments (DPIAs) and prior consultation of the CNIL where required.
4.7 Audits and information
ZEVRA makes available to the Client all information necessary to demonstrate compliance with its obligations. Any audit requires 30 working days' written notice.
4.8 Compliance alert
ZEVRA immediately informs the Client if, in its opinion, an instruction infringes the GDPR or any other applicable data protection provision.
Article 5 — Security measures
ZEVRA implements the following measures to ensure the security, confidentiality and integrity of the personal data processed.
Technical measures
- Encryption in transit: all communications are encrypted via TLS 1.2 minimum
- Access control (RBAC): access to data limited according to role and need-to-know
- Logging: traceability of access and operations on the data
- Pseudonymization: implemented within Lexform Pro for sensitive legal documents
- Environment separation: development, test and production environments strictly isolated
- Encrypted backups: regular backup copies with encryption at rest
- Vulnerability management: continuous monitoring, security patches applied as quickly as possible
Organizational measures
- Internal confidentiality policy: documented internal rules on the handling of personal data
- Staff training: regular awareness-raising on data protection issues
- Breach procedure: formal processes for detecting, analyzing and notifying security incidents
- Limited access: the least-privilege principle applied to all access to data
- Sub-processor selection: assessment of the safeguards offered by sub-processors before any engagement
Article 6 — Sub-processors
6.1 Current list
The Client authorizes ZEVRA to engage the sub-processors listed in Appendix A. This authorization applies for the entire duration of the main Contract.
6.2 Changes to the list
Before adding or replacing any sub-processor, ZEVRA notifies the Client in writing with 30 calendar days' notice. This notification states:
- The identity of the new sub-processor
- The country of establishment and the place of processing
- The nature of the subcontracted activities
- The applicable transfer mechanism if the data leaves the EEA
The Client has a right to object on reasoned grounds within 30 days. In the event of an unresolved objection, the Client may terminate the Contract free of charge on the basis of this change.
6.3 ZEVRA's responsibility
ZEVRA imposes on each sub-processor data protection obligations equivalent to those of this DPA. ZEVRA remains fully liable to the Client for its sub-processors' compliance with these obligations.
If ZEVRA changes a technical provider that touches your data, you are informed 30 days in advance. You can refuse — and if the disagreement persists, you can leave without penalty.
Article 7 — Transfers outside the European Union
Some of ZEVRA's sub-processors are established outside the European Economic Area (EEA), in particular in the United States. These transfers are governed by the following mechanisms, in accordance with Chapter V of the GDPR:
- Standard Contractual Clauses (SCCs) adopted by the European Commission in decision 2021/914 of 4 June 2021, applicable to all transfers to third countries without an adequacy decision
- EU-US Data Privacy Framework (DPF) where the sub-processor is certified, in addition to the SCCs
The details of the transfer mechanisms applicable to each sub-processor are set out in the table in Appendix A.
When your data passes through US servers (e.g. Anthropic for the AI models), GDPR-compliant contracts apply. These safeguards are imposed before any data exchange.
Article 8 — Data breach notification
8.1 Notification deadline
In the event of a personal data breach, ZEVRA notifies the Client within 72 hours of becoming aware of it, electronically at the address provided on subscription.
8.2 Content of the notification
The notification contains, as far as possible at the time it is sent, the following information:
- The nature of the breach: type of incident, probable cause, identified attack vector
- The categories and approximate number of data subjects affected
- The categories and approximate number of personal data records concerned
- The likely consequences of the breach
- The measures taken or planned to address the breach and mitigate its effects
- The contact details of the point of contact at ZEVRA
8.3 Phased communication
Where all the information is not available within the 72-hour deadline, ZEVRA may provide the information in phases, without undue further delay, stating the reasons for the delay.
8.4 Client's responsibility
It is for the Client, in its capacity as Controller, to assess whether the breach must be notified to the competent supervisory authority (CNIL) and/or to the data subjects, in accordance with Articles 33 and 34 of the GDPR.
If something goes wrong with your data, you are notified in under 72 hours with everything we know. It is then up to you to decide whether the CNIL and your clients need to be informed.
Article 9 — Fate of data on termination of the contract
On the expiry or termination of the main Contract, the Client has 30 calendar days to exercise its right of choice:
- Option 1 — Return
- ZEVRA returns all of the Client's personal data in a structured, commonly used format (JSON or CSV), enabling portability to another service.
- Option 2 — Secure destruction
- ZEVRA carries out the secure and permanent deletion of all personal data and of all existing copies, and provides the Client with a certificate of destruction.
- Default option
- In the absence of an express request within the 30-day period, ZEVRA proceeds with the permanent deletion of the data without an automatic certificate.
- Legal exception
- ZEVRA may retain certain data beyond this period only where a legal or regulatory obligation requires it, and for the period strictly necessary to comply with that obligation.
When you leave, you choose: retrieve your data (JSON or CSV format) or have it erased with a certificate. If you say nothing within 30 days, we erase everything.
Article 10 — Liability
10.1 Client's liability
The Client is solely responsible for the compliance of the personal data processing it entrusts to ZEVRA, in particular:
- Determining the legal bases for the processing
- Informing and, where applicable, obtaining the consent of the data subjects
- The lawfulness of processing special categories of data (Art. 9 GDPR)
- Compliance with data subjects' rights as Controller
10.2 ZEVRA's liability
ZEVRA's liability as a processor is engaged in accordance with the provisions of Article 82 of the GDPR, within the limits and conditions set out in Article 7.5 of the GTSU.
ZEVRA is not liable for damage caused by the Client or by instructions transmitted by the Client that do not comply with the GDPR.
Article 11 — Governing law and jurisdiction
This DPA is governed by French law, without prejudice to the mandatory provisions of the GDPR applicable in the European Union.
In the event of a dispute relating to the interpretation or performance of this DPA, the parties agree to apply the jurisdiction rules set out in Article 16 of the GTSU of ZEVRA.
This DPA is drawn up in French. In the event of translation into another language, the French version prevails.
Appendix A — List of sub-processors
The list below sets out the sub-processors engaged by ZEVRA at the time this DPA is signed, in accordance with Article 6.1.
| Sub-processor | Country | Activity | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | United States | Application hosting and runtime infrastructure | SCCs (2021/914) + EU-US DPF |
| Anthropic PBC | United States | Claude language models (AI inference) | SCCs (2021/914) |
| OpenAI LLC | United States | GPT language models (AI inference) | SCCs (2021/914) + EU-US DPF |
| Google LLC | United States | Gemini language models (AI inference) | SCCs (2021/914) + EU-US DPF |
| DILA | France | Légifrance API — read access to official legal texts | EU — no transfer outside the EEA |
These providers let us run the AI tools and host the application. Each is bound by a contract guaranteeing the protection of your data. DILA (Légifrance) is French: your data does not leave Europe through this channel.
Signature and acceptance
This DPA is accepted without reservation by the Client at the time of subscribing to Zevra's services. This online acceptance constitutes an electronic signature within the meaning of Article 1366 of the French Civil Code.
For custom development engagements, a formal signature of this DPA may be required by either party. In that case, ZEVRA is represented by:
- Representative
- Alexis Deborde, President of ZEVRA SAS
- contact@zevra.tech
A question about this DPA or about the protection of your data?
ZEVRA SAS — Alexis Deborde, President — Le Pradet (83)