DATA PROCESSING AGREEMENT (DPA)

Toucan Toco - AI-Native Embedded Analytics Effective Date: May 2026

PREAMBLE

This Data Processing Agreement ("DPA") is entered into between:

DATA CONTROLLER:

• Name: [Customer Name]
• Email: [Customer Contact]
• Address: [Customer Address]
•  

DATA PROCESSOR:

• Name: Toucan Toco SAS
• Address: 59 rue de Ponthieu, Bureau 562, 75008 Paris, France
• Contact: charles.miglietti@toucantoco.com
•  

PURPOSE: This DPA applies when the Customer uploads, stores, or processes personal data (as defined by GDPR) using Toucan Toco's Service.

LEGAL BASIS: This DPA is mandated by Article 28 GDPR and supplements the Terms of Service.

1. DEFINITIONS

Personal Data: Any information relating to an identified or identifiable natural person (GDPR Article 4(1)).

Data Controller: The entity that determines the purposes and means of Personal Data processing (the Customer).

Data Processor: The entity that processes Personal Data on the Controller's behalf (Toucan Toco).

Processing: Any operation on Personal Data (collection, storage, modification, deletion, transmission, etc.).

Subprocessor: Any entity authorized by Toucan Toco to process Personal Data (listed in Section 7).

Data Subject: The individual to whom Personal Data relates.

Personal Data Breach: Unauthorized access to or disclosure of Personal Data.

2. SCOPE & APPLICABILITY

This DPA applies only when:

• Customer uploads, imports, or stores data containing Personal Data in the Service, AND
• That Personal Data will be processed by Toucan Toco on Customer's behalf
  

This DPA does NOT apply to:

• Customer's personal account data (email, profile, usage logs) — covered by Privacy Policy
• Aggregated, anonymized data
• Data that does not identify individuals
• Service improvement based on anonymized insights

3. CUSTOMER'S RESPONSIBILITIES (DATA CONTROLLER)

3.1 Lawful Basis & Consent

Customer warrants that it:

• Has a lawful basis (consent, contract, legal obligation, legitimate interest, etc.) to process Personal Data
• Has informed Data Subjects that their data will be processed by Toucan Toco
• Has obtained consent where required by law
• Complies with all applicable data protection laws (GDPR, French DPA, etc.)
  

3.2 Data Subject Rights

Customer is responsible for responding to Data Subject requests:

• Right of access: Provide a copy of their Personal Data
• Right to rectification: Correct inaccurate data
• Right to erasure: Delete data (exceptions apply)
• Right to restrict processing: Limit how data is used
• Right to data portability: Receive data in portable format
• Right to object: Opt-out of processing

Toucan Toco will assist with requests (see Section 6.6).

3.3 Compliance & Documentation

Customer must:

• Maintain a record of processing activities (GDPR Article 30)
• Conduct Data Protection Impact Assessments (DPIA) if high-risk
• Notify Toucan Toco of any legal requirements affecting Personal Data processing
• Ensure Authorized Users comply with this DPA

4. TOUCAN TOCO'S OBLIGATIONS (DATA PROCESSOR)

4.1 Processing Instructions

Toucan Toco will:

• Process Personal Data only per Customer's documented instructions
• Not process for any purpose beyond what Customer authorizes
  
• Not transfer Personal Data outside the EU without explicit authorization

4.2 Confidentiality & Training

Toucan Toco will:

• Ensure all personnel handling Personal Data sign confidentiality agreements
• Train staff on data protection and security
• Limit access to those with a legitimate business need

4.3 Security Measures

Toucan Toco will implement:

• Encryption: TLS 1.2+ in transit, AES-256 at rest
• Access controls: Role-based access, strong authentication, multi-factor options
• Audit logs: All access to Personal Data is logged and monitored
• Network security: Firewalls, DDoS protection, intrusion detection
• Data center security: France-based, ISO 27001 certified hosting
• Incident response: 72-hour breach notification protocol
• Regular testing: Annual security audits and penetration testing

4.4 International Transfers

Toucan Toco will:

• Keep Personal Data within the EU (France) by default
• If transfer outside EU/EEA is necessary, use Standard Contractual Clauses (SCCs)
• Assess adequacy decisions (Schrems II) and implement supplementary safeguards
• Notify Customer before any non-EU subprocessor engagement

5. DATA SUBJECT RIGHTS & ASSISTANCE

5.1 Access Requests

If a Data Subject requests access to their Personal Data, Customer should:

Send the request to Toucan Toco at: charles.miglietti@toucantoco.com

Include: Data Subject's identity, purpose of request, deadline (if legally mandated)

Toucan Toco will respond within 14 days with available Personal Data.

5.2 Deletion Requests (Right to Erasure)

If a Data Subject requests deletion:

• Customer sends request to Toucan Toco
• Toucan Toco deletes Personal Data within 14 days (exceptions: legal holds, fraud prevention)
• Backups are deleted within 90 days

5.3 Data Portability

If a Data Subject requests their data in portable format:

• Customer notifies Toucan Toco
• Toucan Toco provides data in CSV/JSON within 14 days

5.4 Restriction & Objection

If a Data Subject requests restrictions or objects to processing:

• Customer informs Toucan Toco
• Toucan Toco limits processing per instructions

6. DATA BREACHES & INCIDENT RESPONSE

6.1 Notification Obligation

If Toucan Toco discovers or suspects a Personal Data breach:

• We notify Customer within 72 hours via email
• Notification includes: nature of breach, likely impact, remedial actions
• We assist Customer in notifying Data Subjects and authorities (if required)

6.2 Customer's Obligation

Customer is responsible for:

• Notifying affected Data Subjects (if legally required)
• Notifying authorities (CNIL, etc.) within 72 hours (if required)
• Managing public communication

Toucan Toco will cooperate and provide all necessary information.

6.3 Investigation & Remediation

Upon breach discovery, Toucan Toco will:

• Immediately contain the breach and prevent further access
• Investigate root cause
• Provide a written incident report (timeline, scope, remedial actions)
• Implement preventive measures to avoid recurrence

7. SUBPROCESSORS & VENDORS

7.1 Authorized Subprocessors

Toucan Toco may use subprocessors (third parties) to process Personal Data. Current subprocessors:

7.2 Change of Subprocessors

If Toucan Toco engages a new subprocessor:

• We notify Customer at: charles.miglietti@toucantoco.com
• We provide 30 days' notice before processor change
• Customer may object if there is a compelling legitimate reason
• If objected, Customer may terminate without penalty

7.3 Subprocessor Obligations

All subprocessors must:

• Sign a Data Processing Agreement (DPA) equivalent to this one
• Implement equivalent security measures
• Not further transfer Personal Data without authorization

8. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

If Customer processes high-risk Personal Data (e.g., special categories, large scale, biometric data), Customer should conduct a DPIA.

Toucan Toco will provide:

• Technical documentation of security measures
• Assistance with DPIA questionnaires
• Information on processing activities

9. AUDIT & COMPLIANCE

9.1 Audit Rights

Customer may audit Toucan Toco's compliance with this DPA:

• Written request to: charles.miglietti@toucantoco.com
• At least 30 days' notice required
• Maximum once per year (unless there is a compliance concern)
• Customer bears audit costs unless non-compliance is found

9.2 Certification & Standards

Toucan Toco:

• Maintains ISO 27001 certification (information security)
• Complies with EU Cloud Code of Conduct (where applicable)
• Undergoes annual SOC 2 or similar third-party audits

Audit reports are available upon request (under confidentiality agreement).

9.3 Compliance Documentation

Toucan Toco will provide (upon request):

• Subprocessor agreements
• Security policies and procedures
• Incident response plans
• Data retention schedules

10. DATA RETENTION & DELETION

10.1 Retention Period

Personal Data is retained for:

• Active accounts: Duration of contract + 30 days after termination
• Legally required data: As mandated (e.g., tax, audit compliance)
• Backups: Up to 90 days after deletion
• Aggregated insights: Indefinitely (cannot identify individuals)

10.2 Deletion Process

Upon Customer request or contract termination:

• Toucan Toco deletes Personal Data within 30 days
• Backup deletion within 90 days
• Written confirmation of deletion provided upon request
• Exception: Legally mandated retention (with proof)

10.3 Customer's Right to Export

Before or upon termination, Customer may:

• Request all Personal Data in portable format (CSV, JSON)
• Export takes up to 30 days
• No additional charge if requested during contract term

11. CROSS-BORDER TRANSFERS & SCHREMS II

11.1 EU/EEA Data

Personal Data from EU/EEA Data Subjects is stored in the EU (France). No transfers outside EU unless:

• Customer explicitly authorizes, OR
• Required by law with proper safeguards
  
  
  

11.2 Standard Contractual Clauses (SCCs)

For any non-EU subprocessor (e.g., US vendors):

• Toucan Toco executes EU-approved SCCs
• Supplementary safeguards implemented per Schrems II guidance
• Transfer Impact Assessment (TIA) conducted
• Customer notified of any transfer changes

11.3 Adequacy Decisions

Toucan Toco monitors EU adequacy decisions and adjusts safeguards if necessary (e.g., if US adequacy is withdrawn).

12. DATA SECURITY & INCIDENT MANAGEMENT

12.1 Security Standards

Toucan Toco implements security measures meeting:

• GDPR Article 32 requirements (encryption, access controls, integrity, resilience)
• ISO 27001 standard practices
• Industry best practices for data analytics platforms
•  

12.2 Vulnerability Management

• Regular penetration testing and vulnerability assessments
• Annual security audits by third parties
• Immediate response to identified vulnerabilities
• Security patches deployed within 7 days of discovery
•  

12.3 Business Continuity

• Backup systems in multiple EU data centers
• Recovery Time Objective (RTO): <4 hours
• Recovery Point Objective (RPO): <1 hour
• Annual business continuity testing

13. EMPLOYEE TRAINING & CONFIDENTIALITY

Toucan Toco will:

• Train all staff handling Personal Data on GDPR and data protection
• Require confidentiality agreements from all employees
• Limit access to those with a business need
• Remove access immediately upon termination

14. TERMINATION & EFFECT

14.1 Termination

This DPA terminates automatically when:

• Customer's Service contract ends, OR
• Personal Data is no longer processed via the Service

14.2 Survival

Sections 4, 9, 11, 12, and 13 survive termination for 5 years.

14.3 Return or Deletion

Upon termination:

• Customer may export Personal Data (within 30 days)
• Toucan Toco deletes remaining data within 30 days
• Written confirmation upon request

15. DISPUTE RESOLUTION & GOVERNING LAW

15.1 Governing Law

This DPA is governed by French law (GDPR as implemented in France).

15.2 Dispute Resolution

1. Parties will attempt amicable resolution within 30 days
2. If unresolved, disputes are subject to the jurisdiction of the Courts of Paris
3. Either party may seek provisional measures in competent courts
4.  

15.3 Supervisory Authority

Customer may lodge a complaint with relevant data protection authority:

• France: CNIL (Commission Nationale de l'Informatique et des Libertés)
• Other EU: National Data Protection Authority

16. AMENDMENTS & CHANGES

This DPA may be amended:

• By mutual written agreement, OR
• If required by law (with 30 days' notice)

Material changes require Customer's acceptance. If disagreed, Customer may terminate without penalty.

17. ENTIRE AGREEMENT

This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement regarding Personal Data processing.

In case of conflict:

• This DPA prevails (specific to data processing)
• Privacy Policy prevails over Terms (specific to privacy)

APPENDIX A: TECHNICAL & ORGANIZATIONAL MEASURES

Toucan Toco implements the following security measures (Article 32 GDPR):

A.1 Technical Measures

A.2 Organizational Measures

APPENDIX B: SUBPROCESSOR CONTACT INFORMATION

Hosting & Infrastructure:

• Contact: dpo@scaleway.com
•  

Payment Processing:

• Stripe Inc., USA (EU entity: Ireland)
• Contact: privacy@stripe.com
•  

Customer Support:

• Zendesk, USA
• Contact: privacy@zendesk.com
•  

Analytics:

• Amplitude, USA
• Contact: privacy@amplitude.com
•  

For questions about any subprocessor, contact: charles.miglietti@toucantoco.com

APPENDIX C: DATA SUBJECT REQUEST FORM

If you are a Data Subject requesting access to your Personal Data, provide:

Full Name: ___________________

Email: ___________________

Organization (if known): ___________________

Type of request:

[ ] Access

[ ] Deletion

[ ] Portability

[ ] Rectification

[ ] Restriction

[ ] Objection

[ ] Other: ___________________

Description of request:

___________________________________________________________

___________________________________________________________

Deadline (if legally required):

___________________________________________________________

Signature: ___________________ Date: ___________________

Submit to: charles.miglietti@toucantoco.com

Response time: Within 14 days (extendable to 60 days for complex requests)

Last Updated: May 2026 Version: 1.0 Language: English

For French version or questions, contact: charles.miglietti@toucantoco.com