Parties and roles
This Data Processing Agreement ("DPA") is entered into between you, the Amabrik customer (the "Controller"), and Vayalis (France, SIREN 987827649, Paris), which provides the Amabrik service (the "Processor", "Amabrik", "we", "us"). It forms part of, and is governed by, our Terms of Service.
This DPA applies to the personal data that your widgets capture from your website visitors and that Amabrik processes on your behalf. For that data, you are the controller and Amabrik is your processor. For your account, billing, and configuration data, Amabrik acts as a controller, as described in our Privacy Policy; that data is outside the scope of this DPA.
Subject matter and duration
The subject matter of the processing is the provision of the Amabrik service to you. This DPA takes effect when you start using Amabrik to capture personal data and continues for as long as Amabrik processes personal data on your behalf. It ends when your account is closed and the associated personal data has been deleted or returned in accordance with this DPA.
Nature and purpose of processing
Amabrik processes personal data only to provide the service, namely to receive the submissions your widgets collect (for example an email address typed into a banner or a form submission) and forward them to the tool you have connected. This processing is transient: Amabrik holds each submission only in memory for the moment needed to deliver it and does not retain a copy. Amabrik does not use this data for its own purposes, does not sell it, and does not use it to train generalized artificial intelligence models.
Categories of data subjects
The data subjects are the visitors and leads of your website who interact with an Amabrik widget you have embedded.
Categories of personal data
- Contact details, such as an email address and any name a visitor provides;
- Submission content, meaning the information a visitor enters into a widget;
- Limited technical data, such as a hashed or truncated IP address stored for abuse prevention (the raw IP address is never stored) and a timestamp.
You decide what fields your widgets collect. You must not configure widgets to collect special categories of personal data unless you have established a valid legal basis and given the required notices.
Processor obligations
Amabrik, as your processor, agrees to:
- Documented instructions. Process personal data only on your documented instructions, which are expressed through your account configuration and this DPA, including with regard to international transfers, unless required to act by law (in which case we will inform you where the law permits).
- Confidentiality. Ensure that the people authorized to process the personal data are bound by an obligation of confidentiality.
- Security. Implement appropriate technical and organizational measures, including encryption at rest for integration secrets (AES-256-GCM, with the key held only on the Worker and never exposed back to the browser), hashed passwords, encrypted connections in transit, access controls, and storing only a hashed or truncated IP address at the submit endpoint.
- No further use. Not use the personal data for any purpose other than providing the service to you.
Subprocessors
You give Amabrik a general authorization to engage subprocessors to provide the service. The current subprocessors are listed on our Subprocessors page. The email and CRM providers you can connect become subprocessors only for the submissions you choose to forward to them, and only when you connect them.
Amabrik imposes data protection obligations on each subprocessor that are no less protective than those in this DPA, and remains responsible for its subprocessors' performance. We will give you notice of any intended addition or replacement of a subprocessor, so that you have the chance to object on reasonable data protection grounds by contacting contact@amabrik.com.
Assistance with data subject requests
Taking into account the nature of the processing, Amabrik will assist you, by appropriate technical and organizational measures and insofar as possible, in responding to requests from data subjects to exercise their rights (access, rectification, erasure, restriction, portability, and objection). Because Amabrik does not retain submissions, the submitted data lives in the tool you have connected, where you can access, export, and delete it. If a visitor of your site contacts Amabrik about a submission, we will refer them to you as the controller and support you in responding.
Personal data breach notification
Amabrik will notify you without undue delay after becoming aware of a personal data breach affecting the personal data we process on your behalf, and will provide the information you reasonably need to meet your own notification obligations under the GDPR.
Deletion or return of data
Amabrik does not retain widget submissions, so there is no stored submission data for us to return or delete at the end of the service; that data resides in the tool you have connected, under your control. For the limited data Amabrik does hold on your behalf (such as the hashed or truncated IP addresses kept for abuse prevention), on termination of the service Amabrik will delete or return it, and delete existing copies, unless retention is required by law.
Audits and information
Amabrik will make available to you the information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior request, will contribute to audits and inspections, subject to confidentiality obligations and reasonable limits to protect the security and continuity of the service.
International transfers
Where personal data is transferred outside the European Economic Area, Amabrik relies on appropriate safeguards, such as adequacy decisions or the European Commission's Standard Contractual Clauses. Details of where our subprocessors operate are on the Subprocessors page.
Liability and governing law
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service. This DPA is governed by the laws of France, and the courts of Paris have exclusive jurisdiction, consistent with the Terms of Service.
A signed copy of this DPA is available on request. Contact us at contact@amabrik.com.