CaliaLabs Logo

DATA PROCESSING AGREEMENT

Last updated : February 6, 2026

1. Purpose and Definitions

This Data Processing Agreement (DPA) defines the conditions under which CaliaLabs processes personal data on behalf of the Client in the context of using CEREBRO.

Data Controller: The Client
Data Processor: CaliaLabs SAS (RCS Toulouse 999 513 211)

2. Nature and Purpose of Processing

Nature of operations

Analysis, detection, classification, and archiving of professional electronic communications (emails) within a regulatory compliance framework.

Purpose

Prevention of non-compliance risks (AML, fraud, MiFID II, DORA) and optimisation of sales processes.

Categories of data

Professional identification data, communication content, metadata (senders, recipients, timestamps).

3. Processor Obligations

CaliaLabs undertakes to:

  • Process data solely in accordance with the Client's documented instructions
  • Ensure the confidentiality of persons authorised to process the data
  • Implement appropriate technical and organisational measures (AES-256 encryption, MFA authentication, audit logs)
  • Assist the Client in exercising data subjects' rights
  • Notify any data breach within 24 hours
  • Delete or return data at the end of the contract

4. Sub-processing

CaliaLabs may engage sub-processors with the Client's prior consent. The list of sub-processors is available here: List of subcontractors.

CaliaLabs undertakes to impose the same data protection obligations on sub-processors.

5. Security and DORA Compliance

The CEREBRO infrastructure is designed to meet the requirements of the DORA regulation (Digital Operational Resilience Act):

  • Single-Tenant Architecture: Physical data isolation per client
  • Sovereign hosting: France (OVHcloud Gravelines)
  • End-to-end encryption: TLS 1.3, AES-256-GCM
  • Resilience: Fail-Open architecture with continuity guarantee
  • Audit trail: Immutable logs retained for 7 years

6. Audit Rights

The Client has the right to audit the security measures in place. CaliaLabs provides, upon request, SOC 2, ISO 27001 certifications and DORA compliance reports.

7. International Transfers

No transfers outside the EU. All data is stored and processed exclusively in France.

8. Term and Termination

This DPA applies for the entire duration of the service contract. At the end of the contract, CaliaLabs proceeds with the secure deletion of all data within 30 days.