GDPR · Article 28

Data Processing Agreement

Contractual framework governing the processing of personal data carried out by Listar on behalf of its professional customers.

Version 1.0 — Effective June 24, 2026 · Listar SAS, SIREN 106 743 859

This DPA is automatically entered into with every Customer who has accepted Listar's Terms of Service. It forms an integral part of the contract.

Preamble

This Data Processing Agreement (DPA) is entered into between LISTAR, a SAS with share capital of 120 euros, 4 square Rapp, 75007 Paris (SIREN: 106 743 859 — RCS Paris), and the Customer, a legal entity that has subscribed to the Service and accepted Listar's Terms of Service.

This DPA is entered into pursuant to Article 28 of the GDPR and French Act No. 78-17 of 6 January 1978 as amended. It forms an integral part of the contract. DPO: dpo@listar.fr

Article 1 — Purpose

This DPA defines the conditions under which Listar processes personal data on behalf of the Customer as part of providing the Listar B2B professional data enrichment service.

Article 2 — Definitions

  • Personal Data (PD): any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
  • Controller: the party that determines the purposes and means of the processing (Art. 4(7) GDPR).
  • Processor: the party that processes PD on behalf of the Controller (Art. 4(8) GDPR).
  • Sub-processor: any processor engaged by Listar to process PD on behalf of the Customer.
  • Data Breach: any security breach leading to the destruction, loss, alteration, unauthorized disclosure of, or access to PD (Art. 4(12) GDPR).
  • Data Subject: any natural person whose PD is processed.
  • Supervisory Authority: the public authority responsible for monitoring data protection (in France: the CNIL).

Article 3 — Roles of the parties

3.1 — Listar's dual capacity

Listar acts in two distinct roles:

  • (a) Independent Controller: for the PD it collects in its own enrichment database (professional emails, phone numbers, LinkedIn profiles, company information). Legal basis: legitimate interest (Art. 6.1(f) GDPR).
  • (b) Processor: when it processes the Customer Data submitted for enrichment, on behalf of and on the instructions of the Customer.

3.2 — The Customer, Controller

The Customer alone determines the purposes and means of the use of the Enriched Data downstream of the Service. The Customer is solely responsible for complying with its GDPR obligations in that regard.

Article 4 — Description of the processing

CharacteristicDescription
PurposeB2B professional data enrichment on behalf of the Customer
Data subjectsProfessional contacts (prospects, potential customers) of the Customer: employees, directors, and partners of legal entities
Categories of PDLast name, first name, professional email address, professional phone number, job title, company, LinkedIn profile URL
Sensitive dataNo sensitive data within the meaning of Article 9 of the GDPR is processed
Customer Data retention period90 days maximum after submission, then automatic deletion
LocationEuropean Union
Legal basis (Listar as Controller)Legitimate interest (Article 6.1(f) GDPR)

Article 5 — Listar's obligations as Processor

5.1 — Customer instructions

Listar processes the Customer Data only on the Customer's documented instructions. The Terms of Service and this DPA constitute the initial instructions. Any additional instruction must be sent in writing to dpo@listar.fr. If Listar considers that an instruction infringes the GDPR, it will immediately inform the Customer in writing.

5.2 — Confidentiality

Listar ensures that the persons authorized to process PD have committed to confidentiality. Only persons whose access is strictly necessary to perform the Service have access to it.

5.3 — Security of processing

Listar implements appropriate technical and organizational measures in accordance with Article 32 of the GDPR. These measures are described in Annex 2.

5.4 — Data Breach notification

In the event of a Breach affecting the Customer Data, Listar undertakes to:

  • notify the Customer as soon as possible and no later than within 72 hours;
  • provide: a description of the breach, the categories and number of Data Subjects, the likely consequences, the measures taken, and the DPO's contact details;
  • document the breach in an internal register and cooperate with the Customer.

5.5 — Assistance to the Customer

Listar assists the Customer in: responding to requests to exercise data subject rights (access, rectification, erasure, objection, portability, restriction); complying with Articles 32 to 36 of the GDPR; and responding to inspections by a Supervisory Authority. If Listar receives a request directly from a Data Subject relating to the Customer Data, it informs the Customer and does not respond directly unless instructed otherwise.

5.6 — Fate of the data at the end of the contract

Upon termination of the contract:

  • Export: the Customer has 30 days to export its Customer Data via the platform or at contact@listar.fr;
  • Deletion: Listar proceeds with permanent deletion within a further 30 days after this period;
  • Certification: Listar provides, on request, written confirmation of deletion. Billing data is retained for 10 years (legal obligation).

Article 6 — Customer's obligations

The Customer undertakes to:

  • have a valid legal basis to submit the Customer Data and use the Enriched Data;
  • use the Service solely for legitimate professional purposes (B2B prospecting, CRM enrichment, professional recruitment);
  • inform the Data Subjects in accordance with Articles 13 and 14 of the GDPR;
  • ensure that its instructions to Listar comply with applicable regulations;
  • not submit any sensitive data within the meaning of Article 9 of the GDPR;
  • cooperate with Listar in the event of a Breach, inspection, or request from a Supervisory Authority.

Article 7 — Sub-processors

7.1 — General authorization

The Customer grants Listar general authorization to engage Sub-processors. The list is set out in Annex 3 and on the dedicated page.

7.2 — Notification and right to object

Listar notifies the Customer of any change at least 15 days before it takes effect. The Customer may object in writing within that period. Failing agreement, the objection constitutes termination.

7.3 — Imposed obligations

Listar contractually imposes on each Sub-processor obligations substantially equivalent to those of this DPA.

7.4 — Liability

Listar remains fully liable to the Customer for the performance of its Sub-processors.

Article 8 — Transfers outside the EEA

All data is hosted within the EEA, with Amazon Web Services EMEA SARL (Luxembourg). Certain sub-processors (Stripe, Mailjet, Google) may transfer data outside the EEA. Listar ensures that appropriate safeguards are in place:

  • European Commission adequacy decision (Article 45 GDPR);
  • Standard Contractual Clauses (Decision 2021/914);
  • Data Privacy Framework (DPF) for transfers to the United States.

Article 9 — Audit rights

The Customer may request an audit of Listar's practices, under the following conditions:

  • 30 days' written notice to dpo@listar.fr;
  • one audit per year maximum, except in the event of a proven breach or a request from a Supervisory Authority;
  • scope limited to GDPR compliance (excluding source code and trade secrets);
  • carried out by the Customer or an independent third party bound by confidentiality;
  • costs borne by the Customer, except in the event of a material failure by Listar.

Article 10 — Liability

Subject to the limitations set out in Article 11 of the Terms of Service. The Customer remains solely responsible for its use of the Enriched Data downstream of the Service.

Article 11 — Term and termination

Effective upon acceptance of the Terms of Service. The deletion and confidentiality obligations survive termination of the contract.

Article 12 — Final provisions

  • 12.1 The DPA prevails over the Terms of Service for any matter relating to the processing of PD.
  • 12.2 Amendments are notified 30 days before they take effect.
  • 12.3 French law applies. Exclusive jurisdiction of the courts of Paris.

Annex 1 — Description of the processing

FieldDetail
ControllerThe Customer
ProcessorListar SAS
Processor's DPOdpo@listar.fr
PurposesB2B professional data enrichment (emails, phone numbers, company information) from the Customer Data
Nature of the processingCollection, consultation, matching, structuring, temporary storage, return, deletion
Data subjectsProfessional contacts (employees, directors, partners, freelancers) of legal entities targeted by the Customer
Categories of PDLast name, first name, professional email, professional phone number, job title, company (industry, size, location, website), LinkedIn URL
Sensitive data (Art. 9)None
Legal basis (Listar as Controller)Legitimate interest (Art. 6.1(f) GDPR) — public sources and data partners
FrequencyContinuously, at the Customer's request via web platform, API, or browser extension
Customer Data retention90 days maximum, then automatic deletion
LocationEuropean Union

Annex 2 — Technical and organizational measures (TOMs)

A. Encryption

  • In transit: HTTPS/TLS on all communications. Unencrypted connections are rejected.
  • Passwords: irreversible bcrypt hashing with individual salting. Never stored in clear text.

B. Access control

  • Principle of least privilege: access limited to the members of the Listar team who need it.
  • Secure sessions: JWT tokens with automatic expiry.
  • Browser extension: token stored locally, deleted on logout or uninstall.

C. Infrastructure and hosting

  • EU hosting: Amazon Web Services EMEA SARL (Luxembourg). No data outside the EEA.
  • Network isolation: databases and internal services have no direct public access.

D. Logging and monitoring

  • Access logs: identifier, action, timestamp, IP. Retained for 12 months.
  • Continuous monitoring and alerts in case of anomaly.

E. Minimization and retention period

  • User account data: lifetime of the account + 30 days after closure.
  • Customer Data submitted for enrichment: 90 days maximum.
  • Billing data: 10 years (legal obligation).
  • Connection logs: 12 months.

F. Organizational security

  • Access limited to persons who need it to perform the service.
  • Confidentiality commitment for every employee with access to PD.

G. Incident management

  • Internal incident management procedure.
  • Notification to the Customer within 72 hours.
  • Up-to-date breach register.

Annex 3 — List of Sub-processors

Part A — Operational sub-processors

Sub-processorPurposeLocationTransfer mechanism
Stripe, Inc.Secure payment processing, subscription managementEU (Ireland)No transfer outside the EEA — PCI-DSS certified
Mailjet (Sinch)Sending transactional emails (sign-up, password, invoices)France / EUNo transfer outside the EEA
Google (Sign-In)Authentication via Google Sign-In. Email and name only.EUEU-US DPF
Amazon Web Services EMEA SARLHosting of the Listar infrastructure (servers, databases, storage)Luxembourg (EU)No transfer outside the EEA — eu-west region

Part B — Enrichment data providers

⚠️
As part of the enrichment service, Listar relies on data providers specialized in the following categories: public sources (publicly accessible professional data), contact data (professional emails and phone numbers), and firmographic data (company information). The full named list constitutes a trade secret of Listar within the meaning of Directive (EU) 2016/943. Listar ensures that each provider is contractually bound by data protection obligations equivalent to this DPA and is located within the EEA or covered by a transfer mechanism compliant with Chapter V of the GDPR.

Question about this DPA?

Contact dpo@listar.fr