top of page
Sub-processors

DATA PROCESSING AGREEMENT (DPA)

​Pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR)

Effective date: 20/05/2026

 

Parties

 

Data Controller (DC):
Any legal entity or natural person (hereinafter "the Customer") using DOMOD Services in the context of which DOMOD SAS acts as a processor for the processing of personal data for which the Customer is the controller.

Company name: DOMOD SAS
Registration: RCS Paris – SIREN 101 465 441
Contact: info@domod.build
Website: https://www.domod.build/

This Data Processing Agreement (hereinafter "DPA") forms an integral part of the Terms of Service (ToS) concluded between DOMOD SAS and the Customer. It applies whenever DOMOD SAS processes personal data on behalf of the Customer in the course of providing the Services.

Article 1 — Subject Matter and Duration

 

1.1 This DPA defines the conditions under which DOMOD SAS, as a processor within the meaning of Article 4(8) GDPR, processes personal data on behalf of the Customer, as data controller.


1.2 This DPA takes effect on the date of Customer account creation and remains in force for the duration of the main services contract.

Article 2 — Nature, Purpose and Characteristics of Processing

 

2.1 Nature:
Collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission or any other form of making available, alignment or combination, restriction, erasure or destruction of personal data.

 

2.2 Purposes:
Processing is carried out solely for the purpose of providing DOMOD Services, including: hosting and managing Customer project data; managing Customer user accounts; providing platform features; technical support; platform improvement (aggregated and anonymised data only).

 

2.3 Types of personal data:

  • Identification data: names, email addresses, phone numbers

  • Professional data: company name, position, professional contact details

  • Project data: worksite information, tasks, documents, estimates

  • Connection data: IP addresses, activity logs

  • Any personal data the Customer chooses to integrate into the Platform

 

2.4 Categories of data subjects:

  • Customer's employees, collaborators, sub-contractors

  • Customer's clients and prospects

  • Any third parties whose data the Customer integrates into the Platform

Article 3 — Processor Obligations (DOMOD SAS)

 

DOMOD SAS undertakes to:

 

3.1 Process on documented instructions only — Process personal data only on documented instructions from the Customer, including with regard to transfers to third countries, unless required to do so by law.

 

3.2 Confidentiality — Ensure that authorised persons are subject to appropriate confidentiality obligations.

 

3.3 Security — Implement appropriate technical and organisational measures as set out in Article 5 of this DPA.

 

3.4 Sub-processing — In accordance with Article 28(2) GDPR, DOMOD SAS engages sub-processors to deliver its Services. By accepting this DPA, the Customer grants DOMOD SAS general written authorisation to engage the sub-processors listed in Article 4 of this DPA, as well as any additional sub-processors that DOMOD SAS may require in the normal course of developing its Services.

 

DOMOD SAS will inform the Customer of any addition or replacement of a sub-processor by publishing an updated list at sub-processors or by email notification, with a minimum advance notice of thirty (30) days.

 

The Customer has thirty (30) days from notification to submit a reasoned written objection to info@domod.build. In the absence of an objection within this period, the change is deemed accepted. If a valid objection is raised that DOMOD SAS cannot resolve, either party may terminate the services contract on this ground alone, without penalty, with thirty (30) days' notice.

 

3.5 Assistance — Assist the Customer in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, objection, restriction).

 

3.6 Breach notification — Notify the Customer as soon as possible, and no later than 48 hours after becoming aware, of any personal data breach, and provide the information necessary to allow the Customer to meet its notification obligations to the supervisory authority.


3.7 Deletion on termination — On termination of services, delete all personal data or return it to the Customer, as the Customer chooses, and delete existing copies, unless required to retain them by law.

Article 4 — Sub-processors

 

4.1 The Customer authorises DOMOD SAS to use the following sub-processors:

 

Sub-processor | Country | Processing subject

  • Stripe Payments | Europe, Ltd. | Ireland / EU - Payment processing

  • Hetzner Online GmbH | Germany (EU) | Server infrastructure and data storage

4.2 DOMOD SAS will notify the Client of any upcoming changes to the composition of subprocessors thirty (30) days in advance. The Client has the right to object within this period; if no objection is made, the changes are considered accepted.

Article 5 — Security Measures

 

DOMOD SAS implements the following measures:

 

  • Encryption of data in transit (minimum TLS 1.2)

  • Encryption of data at rest

  • Role-based access control (RBAC) and least privilege principle

  • Secure authentication (hashed passwords, two-factor authentication option)

  • Logging of access and sensitive actions

  • Regular backups with restoration testing

  • Security incident response plan

  • Staff training on data security best practices

 

Article 6 — International Transfers

 

6.1 DOMOD SAS transfers personal data to third countries only under the following conditions:

  • An adequacy decision of the European Commission for the recipient country;

  • Implementation of Standard Contractual Clauses (SCCs) adopted by the European Commission;

  • Existence of Binding Corporate Rules (BCRs);

  • Any other transfer mechanism recognised under the GDPR.

 

6.2 Stripe Payments Europe, Ltd. is certified under the EU-US Data Privacy Framework, providing an appropriate safeguard for transfers to the United States.

 

6.3 Hetzner Online GmbH is a provider established in Germany, within the European Union. Data processing by Hetzner does not constitute a transfer to a third country within the meaning of the GDPR and requires no specific transfer mechanism.

Article 7 — Controller Obligations (Customer)

 

The Customer undertakes to:

  • Provide only lawful instructions to DOMOD SAS in compliance with the GDPR and applicable law;

  • Ensure that data subjects have been informed of the processing of their data in accordance with Articles 13 and 14 of the GDPR;

  • Ensure that a legal basis exists for each processing operation entrusted to DOMOD SAS;

  • Inform DOMOD SAS of any regulatory developments that may affect the processing covered by this DPA;

  • Document any instruction given to DOMOD SAS.

Article 8 — Retention and Deletion

 

8.1 Upon expiry or termination of the services contract:

  • DOMOD SAS makes the data available to the Customer for export for thirty (30) days.

  • After this period, DOMOD SAS proceeds with secure deletion of all Customer data, unless required by law to retain it.

 

8.2 Certain data may be retained beyond this period to comply with legal obligations (accounting: 10 years; connection logs: 12 months, etc.).

Article 9 — Governing Law and Disputes

 

This DPA is governed by French law. Any dispute relating to the interpretation or performance of this DPA shall be submitted to the competent courts of Paris, following an attempt at amicable resolution.

In the event of any conflict between this DPA and the requirements of the GDPR, the requirements of the GDPR shall prevail.

​​

Article 10 — Record of Processing Activities


DOMOD SAS maintains and keeps up to date a record of processing activities carried out on behalf of its Customers, in accordance with Article 30(2) of the GDPR, available upon request at info@domod.build.

 

Last updated: 20/05/2026

bottom of page