Aegirex | Data Processing Agreement (DPA)

1 · Identification of the parties 2 · Subject matter and purposes of processing 3 · Categories of data processed 4 · Categories of data subjects 5 · Retention periods 6 · Authorised sub-processors 7 · Technical and organisational security measures 8 · Personal data breach notification 9 · Data subject rights 10 · Return / deletion at end of contract 11 · Transfers outside the European Union 12 · Audit and cooperation Signature

01 / Vue d'ensemble

Les trois rôles RGPD en un coup d'œil.

Avant d'entrer dans le détail des douze articles, voici la répartition des responsabilités au sens du Règlement (UE) 2016/679. Cette structure est le fondement de toutes les obligations qui suivent.

Responsable de traitement

Le Client. Définit les finalités et les moyens du traitement. Détient le pouvoir décisionnel sur les données stockées dans le coffre : choix des secrets, des destinataires, de la politique d'accès et de la durée de conservation.

Sous-traitant

ARDNTECH EI. Exécute le traitement pour le compte du Client, dans le strict respect de ses instructions documentées et dans les limites de l'objet précisé à l'article 2 du présent DPA.

Personnes concernées

Vos utilisateurs. Membres des organisations du Client et destinataires de partages de secrets. Bénéficient des droits Art. 15 à 22 RGPD, outillés techniquement par Aegirex.

Article 1

1. Identification of the parties

This Processing Agreement (hereinafter the "DPA") supplements the Aegirex Terms of Use and details the respective obligations of the Controller (the Customer) and the Processor (the Publisher of Aegirex) within the meaning of Regulation (EU) 2016/679 (GDPR).

Processor: ARDNTECH EI, registered with the RCS under no. 913308706, with registered office at 24 rue de la Glau 08700 Gespunsart. DPO: dpo@aegirex.eu.

Controller: the legal entity or natural person subscribing to Aegirex and using the service to store and share digital secrets.

Article 2

2. Subject matter and purposes of processing

Aegirex is an end-to-end encrypted (zero-knowledge) secrets storage service. The Processor processes data on behalf of the Controller solely for the following purposes:

Storage of opaque cryptographic blobs (secrets encrypted with the Controller's public key, never decryptable on the server side).
Authentication, account management, organisation membership management.
Issuance of operational notifications (opt-in HIBP leak alert, member invitation, audit alert).

Article 3

3. Categories of data processed

The Processor processes the following categories of data, and only these:

Category	Data concerned	Legal basis (art. 6 GDPR)
User account	Email address, Argon2id hash of the master password, OpenPGP public key, optional name.	Performance of the contract (art. 6.1.b)
Stored secrets	Opaque OpenPGP blobs (encrypted). The Processor cannot read them.	Performance of the contract (art. 6.1.b)
Audit journals	Sign-in events, secret create/read/share/delete, IP, user-agent, HMAC signatures.	Legitimate interest in security (art. 6.1.f)
Billing	Business name, company number, address, billing email, payment history.	Legal accounting obligation (art. 6.1.c)

Article 4

4. Categories of data subjects

The data subjects are: (a) the users authorised by the Controller to access Aegirex; (b) where applicable, the recipients of secret shares initiated by these users; (c) the contacts identified on invoices issued to the Controller.

Article 5

5. Retention periods

Data is kept for the following periods:

User account: as long as the account is active, deleted within 30 days of explicit request or termination.
Secrets: as long as the user does not delete them. Irreversible and immediate deletion on user action.
Audit journals: 13 months (CNIL recommended duration for traceability), then anonymised archiving.
Billing data: 10 years (legal obligation, French Commercial Code L123-22).
Technical application logs (outside audit): 30-day rolling window, automatic IP anonymisation beyond.

Article 6

6. Authorised sub-processors

The Controller expressly authorises the Processor to use the following sub-processors:

Sub-processor	Purpose	Processing country
Brevo SAS	Transactional email delivery (notifications, email verification).	FR
Stancer SAS	Online payment processing.	FR
Host (to be specified in the contract)	Hosting of the application infrastructure and databases.	FR / EU

Any change of sub-processor is notified to the Controller with a minimum 30-day notice, allowing them to exercise a reasoned right to object.

Article 7

7. Technical and organisational security measures

The Processor implements the following measures (indicative non-exhaustive list):

End-to-end encryption of secrets (OpenPGP.js v6, ECC curve25519, AES-256-GCM SEIPDv2).
Key derivation from the master password via Argon2id (5 passes, 256 MiB, parallelism 4).
Cryptographic HMAC-SHA-256 audit chain, verifiable, O(1) detection of any tampering.
TLS 1.3 mandatory in transit, HSTS preload, Let's Encrypt or Buypass certificates renewed automatically.
Two-factor authentication (TOTP RFC 6238 + email) with encrypted recovery codes.
Daily encrypted backups, retained 30 days, restoration tested quarterly.
Annual penetration test by a PASSI (at the opening of paid plans).

Article 8

8. Personal data breach notification

In accordance with article 33 of the GDPR, the Processor notifies the Controller of any personal data breach within 48 hours of becoming aware of it. The notification specifies the nature, scope, likely consequences and measures taken or envisaged.

Article 9

9. Data subject rights

The Processor provides the Controller with the tools to respond to data subject requests (right of access, rectification, erasure, portability, objection) directly from the user interface. For any request not covered by the interface, the Processor assists the Controller within 5 business days.

Article 10

10. Return / deletion at end of contract

At the end of the contract (termination, non-renewal), the Controller has 30 days to export its data via the native portability export feature. After this period, all the Controller's data is irreversibly deleted from production databases. Encrypted backups are purged within an additional 90 days (standard retention rotation).

Article 11

11. Transfers outside the European Union

No data transfer to a third country outside the EU/EEA is carried out. The Processor does not use providers subject to the US CLOUD Act, FISA Section 702, or equivalent jurisdictions. If such a transfer were technically necessary in the future, the Processor would have to obtain the prior express agreement of the Controller.

Article 12

12. Audit and cooperation

The Controller may appoint an independent auditor (at its own expense) to verify the Processor's compliance with the commitments of this DPA, subject to reasonable 15-day notice and a confidentiality undertaking. The Processor also provides on request any documentation demonstrating its compliance (processing register, pentest reports, etc.). For any request: dpo@aegirex.eu.

Démarrer

Besoin de la version
signée et personnalisée ?

Le présent modèle vaut engagement contractuel lorsqu'il est annexé à un bon de commande Business ou Enterprise. Pour une version signée numériquement, nominative et adaptée à vos sous-traitants et à votre juridiction, adressez votre demande à votre Responsable de traitement ou directement au DPO d'ARDNTECH EI.

Demander la version signée Voir la politique de confidentialité

RGPD natif, Art. 28 conforme

Zero-knowledge : l'éditeur ne lit pas vos secrets

Hébergement France, juridiction française

Code AGPL-3.0 auditable de bout en bout

Sous-traitants UE uniquement, listés à l'Art. 6