Preamble
This Data Processing Agreement (DPA) is entered into between LISTAR, a SAS with share capital of 120 euros, 4 square Rapp, 75007 Paris (SIREN: 106 743 859 — RCS Paris), and the Customer, a legal entity that has subscribed to the Service and accepted Listar's Terms of Service.
This DPA is entered into pursuant to Article 28 of the GDPR and French Act No. 78-17 of 6 January 1978 as amended. It forms an integral part of the contract. DPO: dpo@listar.fr
Article 1 — Purpose
This DPA defines the conditions under which Listar processes personal data on behalf of the Customer as part of providing the Listar B2B professional data enrichment service.
Article 2 — Definitions
- Personal Data (PD): any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
- Controller: the party that determines the purposes and means of the processing (Art. 4(7) GDPR).
- Processor: the party that processes PD on behalf of the Controller (Art. 4(8) GDPR).
- Sub-processor: any processor engaged by Listar to process PD on behalf of the Customer.
- Data Breach: any security breach leading to the destruction, loss, alteration, unauthorized disclosure of, or access to PD (Art. 4(12) GDPR).
- Data Subject: any natural person whose PD is processed.
- Supervisory Authority: the public authority responsible for monitoring data protection (in France: the CNIL).
Article 3 — Roles of the parties
3.1 — Listar's dual capacity
Listar acts in two distinct roles:
- (a) Independent Controller: for the PD it collects in its own enrichment database (professional emails, phone numbers, LinkedIn profiles, company information). Legal basis: legitimate interest (Art. 6.1(f) GDPR).
- (b) Processor: when it processes the Customer Data submitted for enrichment, on behalf of and on the instructions of the Customer.
3.2 — The Customer, Controller
The Customer alone determines the purposes and means of the use of the Enriched Data downstream of the Service. The Customer is solely responsible for complying with its GDPR obligations in that regard.
Article 4 — Description of the processing
| Characteristic | Description |
|---|---|
| Purpose | B2B professional data enrichment on behalf of the Customer |
| Data subjects | Professional contacts (prospects, potential customers) of the Customer: employees, directors, and partners of legal entities |
| Categories of PD | Last name, first name, professional email address, professional phone number, job title, company, LinkedIn profile URL |
| Sensitive data | No sensitive data within the meaning of Article 9 of the GDPR is processed |
| Customer Data retention period | 90 days maximum after submission, then automatic deletion |
| Location | European Union |
| Legal basis (Listar as Controller) | Legitimate interest (Article 6.1(f) GDPR) |
Article 5 — Listar's obligations as Processor
5.1 — Customer instructions
Listar processes the Customer Data only on the Customer's documented instructions. The Terms of Service and this DPA constitute the initial instructions. Any additional instruction must be sent in writing to dpo@listar.fr. If Listar considers that an instruction infringes the GDPR, it will immediately inform the Customer in writing.
5.2 — Confidentiality
Listar ensures that the persons authorized to process PD have committed to confidentiality. Only persons whose access is strictly necessary to perform the Service have access to it.
5.3 — Security of processing
Listar implements appropriate technical and organizational measures in accordance with Article 32 of the GDPR. These measures are described in Annex 2.
5.4 — Data Breach notification
In the event of a Breach affecting the Customer Data, Listar undertakes to:
- notify the Customer as soon as possible and no later than within 72 hours;
- provide: a description of the breach, the categories and number of Data Subjects, the likely consequences, the measures taken, and the DPO's contact details;
- document the breach in an internal register and cooperate with the Customer.
5.5 — Assistance to the Customer
Listar assists the Customer in: responding to requests to exercise data subject rights (access, rectification, erasure, objection, portability, restriction); complying with Articles 32 to 36 of the GDPR; and responding to inspections by a Supervisory Authority. If Listar receives a request directly from a Data Subject relating to the Customer Data, it informs the Customer and does not respond directly unless instructed otherwise.
5.6 — Fate of the data at the end of the contract
Upon termination of the contract:
- Export: the Customer has 30 days to export its Customer Data via the platform or at contact@listar.fr;
- Deletion: Listar proceeds with permanent deletion within a further 30 days after this period;
- Certification: Listar provides, on request, written confirmation of deletion. Billing data is retained for 10 years (legal obligation).
Article 6 — Customer's obligations
The Customer undertakes to:
- have a valid legal basis to submit the Customer Data and use the Enriched Data;
- use the Service solely for legitimate professional purposes (B2B prospecting, CRM enrichment, professional recruitment);
- inform the Data Subjects in accordance with Articles 13 and 14 of the GDPR;
- ensure that its instructions to Listar comply with applicable regulations;
- not submit any sensitive data within the meaning of Article 9 of the GDPR;
- cooperate with Listar in the event of a Breach, inspection, or request from a Supervisory Authority.
Article 7 — Sub-processors
7.1 — General authorization
The Customer grants Listar general authorization to engage Sub-processors. The list is set out in Annex 3 and on the dedicated page.
7.2 — Notification and right to object
Listar notifies the Customer of any change at least 15 days before it takes effect. The Customer may object in writing within that period. Failing agreement, the objection constitutes termination.
7.3 — Imposed obligations
Listar contractually imposes on each Sub-processor obligations substantially equivalent to those of this DPA.
7.4 — Liability
Listar remains fully liable to the Customer for the performance of its Sub-processors.
Article 8 — Transfers outside the EEA
All data is hosted within the EEA, with Amazon Web Services EMEA SARL (Luxembourg). Certain sub-processors (Stripe, Mailjet, Google) may transfer data outside the EEA. Listar ensures that appropriate safeguards are in place:
- European Commission adequacy decision (Article 45 GDPR);
- Standard Contractual Clauses (Decision 2021/914);
- Data Privacy Framework (DPF) for transfers to the United States.
Article 9 — Audit rights
The Customer may request an audit of Listar's practices, under the following conditions:
- 30 days' written notice to dpo@listar.fr;
- one audit per year maximum, except in the event of a proven breach or a request from a Supervisory Authority;
- scope limited to GDPR compliance (excluding source code and trade secrets);
- carried out by the Customer or an independent third party bound by confidentiality;
- costs borne by the Customer, except in the event of a material failure by Listar.
Article 10 — Liability
Subject to the limitations set out in Article 11 of the Terms of Service. The Customer remains solely responsible for its use of the Enriched Data downstream of the Service.
Article 11 — Term and termination
Effective upon acceptance of the Terms of Service. The deletion and confidentiality obligations survive termination of the contract.
Article 12 — Final provisions
- 12.1 The DPA prevails over the Terms of Service for any matter relating to the processing of PD.
- 12.2 Amendments are notified 30 days before they take effect.
- 12.3 French law applies. Exclusive jurisdiction of the courts of Paris.
Annex 1 — Description of the processing
| Field | Detail |
|---|---|
| Controller | The Customer |
| Processor | Listar SAS |
| Processor's DPO | dpo@listar.fr |
| Purposes | B2B professional data enrichment (emails, phone numbers, company information) from the Customer Data |
| Nature of the processing | Collection, consultation, matching, structuring, temporary storage, return, deletion |
| Data subjects | Professional contacts (employees, directors, partners, freelancers) of legal entities targeted by the Customer |
| Categories of PD | Last name, first name, professional email, professional phone number, job title, company (industry, size, location, website), LinkedIn URL |
| Sensitive data (Art. 9) | None |
| Legal basis (Listar as Controller) | Legitimate interest (Art. 6.1(f) GDPR) — public sources and data partners |
| Frequency | Continuously, at the Customer's request via web platform, API, or browser extension |
| Customer Data retention | 90 days maximum, then automatic deletion |
| Location | European Union |
Annex 2 — Technical and organizational measures (TOMs)
A. Encryption
- In transit: HTTPS/TLS on all communications. Unencrypted connections are rejected.
- Passwords: irreversible bcrypt hashing with individual salting. Never stored in clear text.
B. Access control
- Principle of least privilege: access limited to the members of the Listar team who need it.
- Secure sessions: JWT tokens with automatic expiry.
- Browser extension: token stored locally, deleted on logout or uninstall.
C. Infrastructure and hosting
- EU hosting: Amazon Web Services EMEA SARL (Luxembourg). No data outside the EEA.
- Network isolation: databases and internal services have no direct public access.
D. Logging and monitoring
- Access logs: identifier, action, timestamp, IP. Retained for 12 months.
- Continuous monitoring and alerts in case of anomaly.
E. Minimization and retention period
- User account data: lifetime of the account + 30 days after closure.
- Customer Data submitted for enrichment: 90 days maximum.
- Billing data: 10 years (legal obligation).
- Connection logs: 12 months.
F. Organizational security
- Access limited to persons who need it to perform the service.
- Confidentiality commitment for every employee with access to PD.
G. Incident management
- Internal incident management procedure.
- Notification to the Customer within 72 hours.
- Up-to-date breach register.
Annex 3 — List of Sub-processors
Part A — Operational sub-processors
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Stripe, Inc. | Secure payment processing, subscription management | EU (Ireland) | No transfer outside the EEA — PCI-DSS certified |
| Mailjet (Sinch) | Sending transactional emails (sign-up, password, invoices) | France / EU | No transfer outside the EEA |
| Google (Sign-In) | Authentication via Google Sign-In. Email and name only. | EU | EU-US DPF |
| Amazon Web Services EMEA SARL | Hosting of the Listar infrastructure (servers, databases, storage) | Luxembourg (EU) | No transfer outside the EEA — eu-west region |