DATA PROCESSING AGREEMENT
Last revised: 2025-05-20
This Data Processing Agreement (the “DPA”) is entered into by MergerCircle SAS, a company registered in France under the SIREN 984963728 and VAT number FR81984963728, with its registered office located at 231 rue Saint-Honoré 75001 Paris, France (« MergerCircle») and the client, meaning the legal entity as identified in the agreement entered into with MergerCircle (the “Client”). It forms an integral part of the Agreement entered into by the Client and which allows for its use of the Platform.
1. Definitions
The terms defined below, when used in these ToU with a capital letter, whether in the singular or plural form, shall have the meaning set out below :
Account: means the User account on the Platform, as set up by MergerCircle on behalf of the Client.
Agreement: means the engagements letter(s), agreement(s), terms and conditions of services, or terms of use entered in force between the Client and MergerCircle and allowing the Services.
Client Data: means any personal information regarding Users and provided to MergerCircle within the scope of use its use of the Platform.
Features: means the Platform’s functionalities made available on the Platform.
Personal Data: means any information relating to an identified or identifiable natural person, meaning a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Regulations: means the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (« GDPR ») and Act n°78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, and all other French or European regulation that may apply for the protection of Personal Data.
Platform: means the platform edited and hosted by MergerCircle and made available to the Client in accordance with the Agreement.
Services: means the provision of the Platform and its Features, as well as User Accounts, in accordance with the Agreement.
Users: means the employee of the Client or the natural personal who is expressly authorized to use his Account on the Platform in accordance with his own professional missions and for whom the Client is liable towards MergerCircle.
2. Identification of the Parties’ roles under GDPR
During the use of the Platform and its Features by the Client, or its Users, the Parties may be required to process Personal Data. As a result, each of the Parties agree to comply with its own obligations under Personal Data Regulations.
The table below identifies the categories of processing operations carried out during the use of the Platform and its Features, as well as the role of each Party for each category of processing identified. These roles can be: data controller (“DC”), joint data controller (“JDC”), data processor (“DP”), sub-processor (“SP”) or no role at all (“N/A”).
| CATEGORIES OF PROCESSING ACTIVITIES | ROLES OF THE PARTIES | |
|---|---|---|
| MergerCircle | Client | |
| Management of contractual relationship between the Parties (accountability, billing, client relationship management). | DC | DC |
| Provision of the Platform, User Accounts and Features to the Client | DP | DC |
| Hosting of the Platform and maintenance operations | DP | DC |
| Operations carried out by the IT Support | DP | DC |
| Monitoring and creation of statistics on the use of the Platform for the purpose of improving MergerCircle’s Platform and Features | DC | N/A |
The obligations and undertakings described below shall apply to each category of processing activity identified above and depending on the role qualified for each Party, insofar as they are applicable to either or both of the Parties.
3. Commitments applicable to the Parties where acting as data controller
When acting as a data controller within the meaning of the GDPR, each of the Parties undertakes to comply with all of its obligations under the Personal Data Regulations. In addition to the general obligations incumbent on data controllers, this article sets out the specific commitments made by the Parties to ensure the compliance of their processing activities.
Regarding the management of the contractual relationship.In order to manage the provision of the Services, each of the Parties may need to process the Personal Data of the other Party’s employees and legal representatives. To this end, the purpose of the processing shall be strictly limited to the management of the commercial relationship established between the Parties and shall only involve Personal Data that is strictly necessary for this purpose.
Each of the Parties undertakes to inform its own employees and representatives of the processing undertaken by the other Party, in accordance with Personal Data Regulations. Each Party remains fully responsible for ensuring the security, confidentiality, integrity and availability of the Personal Data processed in its capacity as data controller.
Regarding improvement of MergerCircle’s Platform and Features.The Client authorizes MergerCircle to process strictly necessary Users’ Personal Data to improve the Platform and its Features. In doing so, MergerCircle undertakes to minimize Personal Data used for this purpose and shall, wherever reasonably possible, anonymize such Personal Data prior to its processing. User’s Personal Data needed for this purpose shall be limited to data relating to the use of his Account by the User, as well as his use of the Platform. MergerCircle shall be authorized to create analytics as a result of this processing, provided that such analytics provides aggregated data.
4. Commitments of the Parties where MergerCircle is acting as data processor
Compliance with data controller’s instructions.MergerCircle shall only be authorized to process Personal Data entrusted by the Client in compliance with its documented and written instructions. MergerCircle will inform the Client if an instruction is considered to be in breach of the Personal Data Regulations.
The Client shall ensure that its instructions relating to the processing are communicated to MergerCircle prior to the implementation of the processing. MergerCircle cannot be held responsible for the implementation of processing methods where these have been implemented due to (i) the absence of written instructions from the Client or (ii) specific instructions from the Client communicated to MergerCircle.
In any case, Client has been informed of standard settings implemented by MergerCircle for the processing activities carried out on the Platform. Without further instructions from the Client, these standard settings will be activated by default.
Record of processing activities as data processor.MergerCircle maintains a record of processing activities carried out on behalf of the Client, in accordance with Article 30.2 of the GDPR. Such record can be made available to the competent supervisory authority at its request.
Commitments regarding security and confidentiality. MergerCircle shall implement all appropriate material, technical and organizational security measures to protect Personal Data from:
Being distorted, damaged or communicated to unauthorized third parties.
Any misappropriation or fraudulent use of Personal Data and ensure, where applicable, their secure storage and integrity throughout the duration of use of the Platform.
Any loss, destruction or alteration.
MergerCircle shall also refrain from:
Making any copy of the Personal Data entrusted by the Client, other than copies strictly necessary for the performance of the Services, except if prior authorization has been given by the Client.
Disclosing Personal Data to anyone other than its employees, agents or authorized sub-processors, if any.
Finally, MergerCircle shall ensure that persons authorized to process Personal Data agree to maintain its confidentiality and integrity. MergerCircle shall ensure that such persons are subject to strict confidentiality obligations. MergerCircle shall not be held responsible for security breaches resulting from the actions or negligence of the Client or its Users.
Management of Personal Data breaches. In the event of a security breach that results in a Personal Data breach within the meaning of Personal Data Regulations, MergerCircle shall promptly, but no later than seventy-two (72) hours, notify the Client of such breach.
MergerCircle shall provide the Client with all useful and available information regarding such breach in order to assist the Client in complying with its legal obligations, in particular with respect to notification of the Personal Data breach to the relevant supervisory authority and/or data subjects.
Privacy by design and by default.MergerCircle has taken into account, implemented and complies with the principles of privacy by design and by default, as defined in Article 25 of the GDPR. These principles imply taking into account, where applicable, for the design of the Platform, privacy protection requirements issued by Personal Data Regulations and incorporating them by default into the Platform.
Retention of Personal Data.MergerCircle undertakes not to retain the Personal Data entrusted by the Client for longer than is strictly necessary for the performance of the Services. Retention of Personal Data may be configured regarding the duration of each User Account on the Platform, depending on the Client’s expressed needs.
At the end of the Services, MergerCircle may, at the request of the Client, (i) destroy all Personal Data or (ii) return it to the Client in a standard format. In the latter case, the Parties will agree on the terms and conditions under which the Personal Data will be returned to the Client.
MergerCircle is authorized to retain all or part of the Personal Data entrusted by the Client if such retention is mandatory (e.g., to comply with a legal obligation) or is of probatory interest in case of a dispute.
Assistance of the Client.MergerCircle undertakes to assist the Client to comply with its own obligations regarding Articles 32 to 36 of the GDPR. This can include assisting the Client to carry out a data protection impact assessment, to process data subjects’ requests regarding their rights on their Personal Data, support to make a prior consult to the supervisory authority, etc.
Such assistance will be provided by MergerCircle on the Client’s written request. It shall be subject to the following conditions:
The assistance provided shall be reasonable and shall not disrupt MergerCircle’s activities or interfere with normal working hours and days of its employees.
The assistance is limited to the communication of information known by MergerCircle and provided that this information is not already available to the Client.
More complex requests of assistance may be subject to specific fees that will be communicated to the Client for approval before any due diligence can be carried out.
The Client acknowledges that MergerCircle does not provide any legal advice and will only assist the Client in accordance with its instructions.
Sub-processors.The Client provides MergerCircle with a general authorization to recruit sub-processors. Consequently, MergerCircle undertakes to recruit only sub-processors offering sufficient and adequate warranties regarding their compliance to Personal Data Regulations. To do so, MergerCircle ensures that:
Sub-processors are committed to similar obligations as those set out by this DPA, where applicable.
Regular compliance checks are carried out to ensure that sub-processors provide sufficient and adequate warranties regarding the processing of Personal Data.
MergerCircle shall remain responsible for any misconduct carried out by its sub-processors regarding the commitments set out herein. The list of sub-processors is made available at: app.mergercircle.com/sub-processors shall be kept up to date by MergerCircle.
The Client is invited to regularly consult this list. In the event of the addition or modification of a sub-processor, the Client has the right to object on legitimate grounds. This right of objection must be justified and exercised by written notification sent to MergerCircle at: support@mergercircle.com within fifteen (15) days following the update of the list. Shall the Client object to a sub-processor, the Parties will meet in order to find a suitable solution. If no solution is found, the Client’s access to the Platform shall be terminated, as well as all of its User Accounts.
Personal Data transfers outside of the European Economic Area (EEA).In case of any Personal Data transfers outside the EEA, MergerCircle shall ensure that it complies with the requirements of Personal Data Regulations and shall, in particular:
erms-of-useImplement a transfer mechanism in accordance with the Personal Data Regulations, such as signing the Standard Contractual Clauses (“SCC”) published by the European Commission with the importer of the Personal Data located outside the EEA.
Perform all necessary formalities to ensure the security of Personal Data transferred outside the EEA.
Right to audit MergerCircle.MergerCircle shall cooperate with the Client and shall provide it, at first request, with all documents and information at its disposal to enable it to demonstrate compliance with its obligations under this Agreement.
If the Client considers that this information is not sufficient, and after duly requesting the missing additional information from MergerCircle and failing to receive it, MergerCircle shall allow the Client to carry out an audit of its processing activities carried out as processor.
This right to audit is subject to compliance with the following cumulative conditions:
All costs of audit shall be bear by the Client exclusively.
The right to audit shall be limited to one (1) audit every consecutive twelve (12) months.
The right to audit shall only allow the Client to access information relating to its own scope of processing entrusted to MergerCircle. It can never allow the Client to access information regarding other MergerCircle’s clients, partners, sub-processors or any other information that would be confidential or subject to secrecy.
The audit can be carried out by the Client or an independent designated auditor as long as the auditor is not a direct or indirect competitor of MergerCircle. The Client shall inform MergerCircle of any audit carried out with a period notice of fifteen (15) days prior to the set audit date and specify the identity of the auditor.
The audit shall not interfere with the MergerCircle’s normal activities, nor with normal working hours and days of the MergerCircle’s teams.
Upon completion of the audit, the Client shall provide MergerCircle with a copy of the audit report. If the report reveals any non-compliance with its obligations under this DPA, MergerCircle shall, at its own expense, take all necessary corrective measures to remedy such non-compliance without undue delay.
5. Liability
Conditions of the Parties’ liability are set out by the Agreement.
Sub-processors on the Platform
MergerCircle engages the following entities to provide processing activities in accordance with the Data Processing Agreement entered into with the Client and made available under the URL: app.mergercircle.com/sub-processors