Janore
Start free

Data Processing Agreement (DPA)

Last updated

This DPA forms part of the Janore Terms of Service and applies whenever Janore SAS (« Processor ») processes personal data on behalf of a Customer (« Controller »).

1. Subject matter

Processor processes personal data submitted by Controller's end-visitors (chat messages, names, emails) to provide the Janore Service.

2. Duration

For the duration of the Customer's subscription, plus a 30-day grace period after termination during which data is held for export, then permanently deleted.

3. Nature and purpose of processing

  • Storing chat messages for reply-context retrieval.
  • Embedding ingested knowledge for similarity search.
  • Routing escalations to Customer's email / Slack / webhook.
  • Providing analytics aggregated to the Customer.

4. Categories of data subjects

  • Customer's end-users (visitors interacting with the Assistant).
  • Customer's staff (admin / dashboard users).

5. Categories of personal data

  • Identifiers (email, name when volunteered in chat).
  • Communication content (chat messages).
  • Technical metadata (IP address — hashed before storage; user-agent).

6. Sub-processors

See Privacy Policy for the full list. Notice of any sub-processor change provided at least 30 days in advance via email.

7. Security measures

  • Encryption at rest (Supabase / AES-256) and in transit (TLS 1.3 enforced).
  • RLS isolation per customer workspace at the database layer.
  • Access control: SSO + 2FA mandatory for all Janore staff with prod access.
  • Quarterly access reviews + automated key rotation.
  • Incident response: 72-hour notification of any data breach affecting Customer data.

8. Customer rights & data subject requests

Customer has full export + deletion control via the Dashboard. Data subject requests received by Processor are forwarded to Customer within 48h.

9. International transfers

All Customer data hosted in the EU (Supabase region). LLM inference may be executed in the US for OpenAI / Anthropic absent EU regions; in that case Standard Contractual Clauses (2021/914) apply.

10. Termination

On termination, Processor returns or deletes all Personal Data within 30 days (Customer chooses). Backup deletion within 90 days.

// FOUNDER TO REVIEW : à valider par avocat avant signature avec un client Pro+. Modèle conforme à l'article 28 RGPD.