Data Processing Agreement (DPA)
Between the undersigned:Carform SAS, a simplified joint stock company, registered with the RCS of Grasse under number 901 823 617, registered office: 535 Route des Lucioles, Les Aqueducs – 06560 Valbonne, acting as the Processor;
and
The professional Client using the Carform Platform, acting as the Controller, as defined in Carform’s General Terms and Conditions of Use and Sale (CGU/CGV).
Collectively referred to as “the Parties.”
1. Purpose and Term
Carform processes, on behalf of the Client, personal data necessary for the provision of its SaaS services for automotive after-sales management via the Carform Platform (appointment management, workshop tracking, notifications, reporting, etc.).
This DPA applies for the entire duration of the contract binding the Parties under Carform’s CGU/CGV, from the implementation of the Services until their termination or expiration.
2. Nature of Data, Purposes, and Data Subjects
| Element | Description |
|---|---|
| Data | Identity (first name, last name), contact details (email, phone), vehicle registration numbers, schedules, communications (SMS, emails), postal addresses where applicable, end-customer data (when provided by the Client), in accordance with the CGU and Carform’s Privacy Policy. |
| Purposes | Appointment management, workshop/mission follow-up, sending notifications (SMS/email), reporting, task tracking, customer support, communication through usual channels (email, phone, Platform interface), service improvement. |
| Data Subjects | Authorized Client users (administrators, users defined in the CGU), and, where applicable, the Client’s end customers (vehicle owners, natural persons whose data is collected) when necessary for the purposes above. |
3. Subcontractors and Hosting
The data is hosted within the European Union, on the Google Cloud Platform infrastructure.
For SMS delivery, Carform uses Twilio as a service provider.
Carform guarantees that these providers comply with GDPR requirements, in particular with regard to security, data location, and any potential transfers.
4. Obligations of the Processor (Carform)
Carform undertakes to:
Processing on Instructions
- Process data only in accordance with the Client’s documented instructions.
- If Carform considers that an instruction violates GDPR or other applicable provisions, it shall immediately inform the Client.
Confidentiality and Security
- Ensure the confidentiality of the personal data processed.
- Ensure that authorized persons (employees, subcontractors) are bound by confidentiality obligations and receive appropriate data protection training.
- Implement appropriate technical and organizational measures, including but not limited to: pseudonymization, encryption, integrity and availability safeguards, system resilience, regular backups, business continuity and disaster recovery planning, security testing/audits, and access control.
Data Subject Rights
- Assist the Client in responding to data subject requests under GDPR: right of access, rectification, erasure, restriction, objection, portability, and the right not to be subject to automated decision-making.
- Where such a request is made directly to Carform as Processor, Carform shall promptly forward it to the Client in accordance with documented procedures.
Data Breach Notification
- Notify the Client of any personal data breach within 48 hours of becoming aware of it.
- Provide all necessary information: nature of the breach, categories and number of data subjects, categories and number of data records, possible consequences, corrective measures taken or planned.
- Provide documentation necessary to allow the Client to comply with legal obligations (including notifications to supervisory authorities).
Audit, Documentation, Compliance
- Make available to the Client all information necessary to demonstrate compliance with GDPR obligations.
- Allow for reasonable audits or inspections at the Client’s request, subject to reasonable prior notice, access to records, logs, and relevant documentation.
- Maintain a record of processing activities carried out on behalf of the Client, including possible transfers and subsequent subprocessors.
Subprocessing
- Carform may engage subprocessors (technical providers, hosting, SMS, emailing, etc.) provided that they comply with GDPR obligations at least equivalent to those set out in this DPA.
- The Client will be informed in advance and in writing of any addition or replacement of a subprocessor, with details of activities, identity, contact details, and effective date.
- The Client has 30 days to object on legitimate grounds.
5. End of Contract, Data Return/Deletion
At the end of the service or contract (termination or expiration), Carform shall return to the Client all personal data processed on its behalf in the structured format defined in the contract, or, failing that, in a commonly used format, or shall delete such data entirely unless otherwise required by law.
Carform shall provide written proof of data destruction/deletion (logs, certificates, etc.) and retain only what is strictly necessary to meet legal obligations (e.g. tax documentation), in accordance with applicable retention periods.
6. Notification of Changes to the DPA
Carform may propose amendments to this DPA. Any new version will be notified to the Client at least 30 days prior to its effective date.
The Client will have the opportunity to review the new version, to raise objections (within a reasonable period), and must explicitly accept the modified version if the changes are substantial.
7. DPO Contact and Support
Data Protection Officer (DPO): contact@carform.io, subject: DPO.
The Client may use all usual Carform customer service channels (email, Platform interface, phone, etc.) for any request for assistance or question relating to this DPA or to data protection.
8. Miscellaneous Provisions
Reference to CGU / Privacy Policy: This DPA complements Carform’s CGU and Privacy Policy, and forms part of the contractual relationship defined by these documents.
Governing Law: This DPA is governed by applicable French and European data protection law.
Version and Acceptance: The current DPA is the one accepted simultaneously with the CGU. Any later modifications will be formalized, timestamped, and must be accepted according to the notification procedure described above.