Data Processing Agreement

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the publisher of Gazenest ("Gazenest", "we", "us") and the Customer ("you") and governs the processing of personal data by Gazenest on your behalf where the GDPR (Regulation (EU) 2016/679), the UK GDPR, or other applicable data-protection law applies.

For consumer users, the Privacy Policy is the operative document. This DPA is intended for business / professional users who require a Data Processing Agreement to comply with their own controller obligations.

1. Definitions

Applicable Data Protection Law, Personal Data, Data Subject, Controller, Processor, Sub-processor, Processing, and Personal Data Breach have the meanings given in the GDPR. SCCs means the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

2. Roles

For most processing, you are the Controller of your Personal Data; Gazenest is the Processor, acting on your documented instructions. For a limited set of operations (account creation, security, fraud prevention, accounting record retention), Gazenest acts as an independent Controller as described in the Privacy Policy.

3. Subject Matter, Duration, Nature, and Purpose

  • Subject matter: Personal Data necessary to provide the Gazenest service.
  • Duration: For the duration of the Agreement, plus the retention periods described in the Privacy Policy.
  • Nature and purpose: Collection, storage, structuring, analysis (scores and statistics), display in the dashboard, and deletion of Customer Personal Data, in order to deliver the service.
  • Categories of Data Subjects: the Customer and, for Family plans, any additional family members invited by the Customer.
  • Categories of Personal Data: account data, YouTube viewing metadata, device identifiers, scores, sync logs (see Privacy Policy section 3).
  • Special categories of data: none.

4. Gazenest's Obligations as Processor

Gazenest will:

  1. Process Customer Personal Data only on documented instructions from the Customer (this DPA, the Privacy Policy, and your use of the service are deemed documented instructions).
  2. Ensure persons authorised to process the data are bound by confidentiality.
  3. Implement appropriate technical and organisational measures (see Annex A below).
  4. Engage Sub-processors only with the Customer's prior general written authorisation (see section 5) and ensure each Sub-processor is bound by equivalent data-protection obligations.
  5. Assist the Customer in responding to Data Subject requests, where technically feasible.
  6. Assist the Customer in complying with GDPR Articles 32 to 36 (security, breach notification, DPIA, prior consultation).
  7. Notify the Customer of a Personal Data Breach without undue delay and in any case within 72 hours.
  8. Delete or return all Customer Personal Data at the end of the service, at the Customer's choice, and delete existing copies, unless retention is required by law.
  9. Make available all information necessary to demonstrate compliance with this DPA, and allow audits (see section 10).

5. Sub-processors

The Customer grants Gazenest a general authorisation to engage Sub-processors. The current list is published at /page/subprocessors.

  • Gazenest will notify Customers of any intended addition or replacement of a Sub-processor at least 30 days in advance.
  • If the Customer objects on reasonable data-protection grounds, the Customer may terminate the affected service with pro-rata refund of pre-paid fees.
  • Gazenest imposes equivalent data-protection obligations on each Sub-processor and remains liable for their performance.

6. International Transfers

Where Personal Data is transferred outside the EEA to a country without an EU adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (Module 2 / Module 3 as applicable), incorporated into this DPA by reference. Governing law: French law. Forum: courts of Paris, France. Optional independent dispute resolution: not applicable.

7. Data Subject Rights

Gazenest provides self-service tools (export, delete) in the dashboard. Where a Data Subject contacts Gazenest directly, Gazenest will refer them to the Customer if Gazenest is acting as Processor only, or handle the request directly where Gazenest is acting as Controller.

8. Personal Data Breach Notification

Gazenest will notify the Customer by email at the Customer's account address within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information required by GDPR Article 33(3) and cooperating with the Customer's investigation and notification obligations.

9. Customer's Obligations as Controller

The Customer warrants and undertakes that:

  • It has a lawful basis under GDPR Article 6 (and, where applicable, Article 9) to provide the data to Gazenest.
  • It has obtained any necessary consents, including from Family-plan members and from parents where a member is under 15.
  • The instructions it gives Gazenest comply with Applicable Data Protection Law.

10. Audits

On reasonable request and no more than once per 12-month period (or more frequently if required by a supervisory authority or in response to a Personal Data Breach), Gazenest will make available:

  • A summary of Gazenest's security measures (Annex A).
  • The current list of Sub-processors.
  • Any current third-party audit reports Gazenest holds, under reasonable confidentiality.

11. Liability and Term

Liability is subject to the limits set out in the Terms of Service. This DPA enters into force when the Customer accepts the Terms of Service and remains in force as long as Gazenest processes Customer Personal Data, including any post-termination retention period required by law.

12. Order of Precedence

In the event of a conflict between this DPA and any other agreement between the parties, this DPA prevails for personal-data processing. Where the SCCs are incorporated, the SCCs prevail in case of conflict.

13. Counter-signed Copy

A counter-signed PDF copy of this DPA is available on request to privacy@gazenest.com, with your legal entity name, registered office, and the name and role of the signatory. We will return a counter-signed copy within 5 business days.

Annex A - Technical and Organisational Measures (GDPR Art. 32)

A.1 Encryption

  • HTTPS / TLS 1.3 for all client / server traffic.
  • AES-256-GCM at rest for sensitive PII (email, licence key, IP); HMAC-SHA256 for lookup.
  • Encrypted backups; encryption keys stored separately from the encrypted data.

A.2 Access Control

  • Production access via SSH key, attributed individually; no shared keys.
  • Admin panel: email + licence key + TOTP two-factor authentication, on a separate firewall.
  • Application: short-lived JWT, refresh-token rotation, signed API requests (X-Timestamp, X-Nonce) to prevent replay.

A.3 Resilience

  • Encrypted database backups on a rotating 30-day window; restoration tested at least quarterly.
  • Zero-downtime deployment pipeline.
  • Uptime monitoring and alerting.

A.4 Continuous Assessment

  • PHPStan max-level static analysis, linting, automated test suite on every change.
  • Dependency vulnerability tracking via Renovate and npm audit.

A.5 Data Minimisation

  • Only data needed for the service is collected. No GDPR Article 9 data.
  • Profile classifications can be disabled per account.

A.6 Personnel and Sub-processor Due Diligence

  • All persons with access are bound by confidentiality and granted access on a need-to-know basis.
  • Each Sub-processor is selected for GDPR maturity, with a signed DPA on file.

A.7 Breach Response

  • Application and security events are monitored and alerted on.
  • Documented breach-response procedure with the 72-hour notification commitment in section 8.

Active Merchant of Record subprocessor at the date of this document: Lemon Squeezy, LLC.

Last updated: 12 May 2026