Data Processing Addendum

Version 1.0 · Effective date: 3 May 2026

This DPA forms part of the agreement between Palms Sky Conv ("Processor") and the customer named in the corresponding order form ("Controller"). It applies whenever the Processor processes Personal Data on behalf of the Controller in connection with the Service.

1. Parties

Processor: Palms Sky Conv, registered in Saint-Paul, Réunion (France), at 30 T Route du Vieux Flamboyant, Saint-Gilles-Les-Hauts, 97460 Saint-Paul, Réunion.

Controller: the entity identified as "Customer" in the Service order or account.

2. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. "Personal Data", "Data Subject", "Processing", "Sub-processor", and "Supervisory Authority" have the meanings set out in Article 4 GDPR.

3. Scope & nature of processing

Subject-matter: Processor performs document-conversion, editing, capture and related processing tasks instructed by the Controller through the Service.
Duration: the term of the principal Service agreement, plus any post-termination retention required by law.
Categories of data subjects: the Controller's end users, employees, customers, and any individuals whose Personal Data is contained in the files the Controller uploads.
Categories of Personal Data: as determined by the Controller — typically names, email addresses, identifiers, and any other Personal Data contained in the documents the Controller chooses to upload.
Special categories: only if the Controller chooses to upload them. The Controller must ensure it has a lawful basis to do so.

4. Processor duties

The Processor will: (a) process Personal Data only on the Controller's documented instructions, including for international transfers, unless required to do otherwise by EU or Member-State law; (b) ensure persons authorised to process Personal Data are subject to confidentiality obligations; (c) implement appropriate technical and organisational measures (Section 5); (d) assist the Controller in fulfilling Data-Subject rights and Articles 32-36 GDPR obligations; (e) make available all information necessary to demonstrate compliance with Article 28.

5. Security

The Processor maintains the security measures described in our GDPR statement and the technical & organisational measures Annex II below.

6. Sub-processors

The Controller grants general written authorisation for the Processor to engage Sub-processors, listed at /legal/gdpr.html. The Processor will give 30 days' prior notice (by email or in-app) of any new Sub-processor; the Controller may object on reasonable data-protection grounds.

7. International data transfers

Where Personal Data is transferred outside the EEA / UK, the parties incorporate by reference the Standard Contractual Clauses (Module Two: controller-to-processor) adopted by the European Commission in Decision 2021/914 and, where the Controller is in the UK, the UK International Data Transfer Addendum (IDTA) issued by the ICO. The relevant Annexes are completed in Annex I below.

8. Assistance with data-subject rights

Taking into account the nature of the processing, the Processor will provide reasonable assistance, including by appropriate technical and organisational measures, for the fulfilment of the Controller's obligation to respond to requests for exercising data-subject rights under Chapter III GDPR.

9. Personal-data-breach notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Controller Personal Data, providing the information needed for the Controller to meet its Article 33-34 obligations.

10. Audits

The Processor will make available, on request, the latest third-party audit reports (e.g., SOC 2 Type II) covering the Service. If those reports are insufficient, the Controller may request an audit no more than once per year, on 30 days' notice, during business hours, at the Controller's expense, and subject to confidentiality obligations.

11. Return & deletion

Upon termination of the Service, the Processor will, at the Controller's choice, return or delete all Personal Data, except where retention is required by EU or Member-State law. Standard backups containing Personal Data are overwritten in the ordinary course within 30 days.

12. Liability

Each party's liability under this DPA is subject to the liability limits in the principal Service agreement, except for liability that cannot be limited under applicable law.

13. Annexes & Standard Contractual Clauses

Annex I — Description of the transfer

Data exporter: the Controller. Data importer: Palms Sky Conv

Frequency: continuous, for the duration of the Service. Nature and purpose: as set out in Section 3. Period of retention: Personal Data inside files: ≤ 1 hour. Account / billing data: term of the agreement plus statutory periods.

Competent supervisory authority: the supervisory authority of the EU Member State / UK in which the Controller is established.

Annex II — Technical & organisational measures

Encryption in transit (TLS 1.2/1.3) and at rest (AES-256);
Access control with MFA, least-privilege, and quarterly review;
Segregated processing containers, hardened systemd units, automatic file deletion (≤1h);
Vulnerability management with monthly patch cadence;
Annual third-party penetration test;
24/7 monitoring, alerting, and incident-response procedures;
Mandatory security and privacy training for all staff;
Documented disaster-recovery plan and tested backups.

Annex III — Sub-processors

See the up-to-date list at /legal/gdpr.html#subprocessors.

To request a counter-signed copy of this DPA, email [email protected] with your account email and registered company name.