8 min read
Legal

Data Processing Agreement

Last updated: January 25, 2025

1. PARTIES

This Data Processing Agreement (the "Agreement") is entered into between:

The Data Controller ("you", "your"): The legal entity owning the application using iaptic services.

The Data Processor ("we", "our", "us"): Iaptic SAS, a company registered in France under SIRET number 88837387500010, with its registered office at 128 rue La Boétie, 75008 Paris, France.

2. DEFINITIONS

In this Agreement, unless the context requires otherwise:

  • "Service" means the iaptic.com platform and associated services.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "End User" means any user of the Data Controller's application.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.

3. PURPOSE OF PROCESSING

The purpose of data processing under this Agreement is strictly limited to the operation of the Service, specifically for:

  • (a) validating in-app purchases;
  • (b) managing subscriptions;
  • (c) analyzing transaction statistics; and
  • (d) providing technical support.

The categories of data processed include information about the initial download of your application, transaction states, device information, and request logs. The exact scope of processing depends on your specific requirements as the Data Controller.

4. DATA LOCATION AND SUB-PROCESSORS

All data is processed and stored within the European Union, specifically in data centers located in Germany and Finland, operated by Hetzner. No data transfers outside the EU occur as part of our regular operations.

We engage the following sub-processors, all of whom are GDPR-compliant:

  • Fovea for service operations
  • Apple for iOS/macOS purchase validation
  • Google for Android purchase validation
  • CloudFlare for communications protection
  • Sentry for service monitoring
  • Hetzner for hosting services

5. SECURITY MEASURES

We implement and maintain appropriate technical and organizational security measures, including:

Access Control: System administrator access is strictly limited and requires encrypted VPN connections and multi-factor authentication, following the principle of least privilege.

Encryption: All communications are encrypted using TLS, and sensitive data is encrypted at rest using industry-standard encryption methods. Encryption keys are securely managed and regularly rotated.

Redundancy: Data is duplicated across multiple data centers, with daily backups retained for seven days to ensure data integrity and availability.

6. DATA RETENTION

We retain active data for the duration of our contractual relationship. Accounts inactive for more than two years will be automatically flagged for deletion. Following service termination, we retain data for 90 days to allow for data export requests, after which all personal data is either deleted or anonymized in compliance with GDPR requirements.

7. DATA SUBJECT RIGHTS

We acknowledge that End Users have specific rights under the GDPR, including access, rectification, erasure, and data portability. As the Data Processor, we will assist you in fulfilling these rights by providing necessary technical measures. All requests from End Users should be directed through you as the Data Controller, and we will respond to your requests within 30 days.

8. DATA BREACH NOTIFICATION

In the event of a personal data breach, we will notify you without undue delay and within 48 hours of becoming aware of the breach. Notification will be sent via secure email and will include:

  • The nature of the breach
  • The likely consequences
  • The measures taken or proposed to address the breach We will fully cooperate in any investigation and remediation efforts.

9. CONFIDENTIALITY

We maintain strict confidentiality standards. Our personnel are bound by confidentiality agreements and receive regular security and privacy training. We implement documented procedures and regular audits to ensure continuous improvement of our security measures.

10. AUDIT AND COMPLIANCE

You have the right to audit our compliance with this Agreement once per year, subject to reasonable notice and at your expense. We will provide relevant security certifications, compliance reports, and technical documentation to demonstrate our compliance.

11. TERMINATION

Upon termination of services, we will:

  • Provide a mechanism for data export
  • Issue a verifiable deletion certificate
  • Maintain confidentiality obligations
  • Retain only data required by law

12. LIABILITY

Our liability under this Agreement is subject to the limitations set forth in our Terms and Conditions. We maintain professional liability and cyber-risk insurance coverage appropriate to the services we provide.

13. FINAL PROVISIONS

This Agreement is governed by French law and subject to the exclusive jurisdiction of the Paris courts. Any modifications to this Agreement require mutual written consent and version control.

14. CONTACT INFORMATION

For data protection matters:

Data Protection Officer
Email: [email protected]
Address: 128 rue La Boétie, 75008 Paris, France

For technical support:

Email: [email protected]