Skip to content

Data Processing Agreement

Last update : August 31st, 2025

 

Scope of the DPA

 

 

This Data Processing Agreement (“DPA”) forms part of the Agreement between Entropia SAS, registered in Versailles, France (RCS No. 980705016) (“Entropia”, “we”), and the Client.

 

This DPA applies where Entropia processes Personal Data on behalf of the Client in connection with the Services, in which case Entropia acts as a Processor and the Client acts as the Controller within the meaning of applicable Data Protection Laws. Where Entropia processes Personal Data as an independent Controller (for example, in relation to user accounts, analytics, or support interactions), such processing is governed by Entropia’s Privacy Policy and not by this DPA.

 

In the event of any conflict between this DPA and other parts of the Agreement, the provisions of this DPA shall prevail with respect to the processing of Personal Data. This DPA remains in effect for the duration of Entropia’s processing of Client Personal Data under the Agreement and shall automatically terminate upon the return or deletion of such data in accordance with this DPA.

 

Definitions

For the purposes of this DPA:

  • “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, and “Supervisory Authority” shall have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
  • “Solution”: The proprietary software platform operated and maintained by Entropia, primarily designed for the deployment and operation of electronic virtual Data Rooms. The Solution includes its user interface, databases, integrations, and underlying technology, and serves as the environment through which the Services are provided.
  • “Sub-processor” means any third party engaged by Entropia for the processing of Personal Data on behalf of the Client.

Categories of Data Subjects: Client or third party personnel, Users of the Solution, Individuals identified in documents uploaded to the Solution.

 

Personal Data processing

When acting as processor, Entropia processes Personal Data only on documented instructions from the Client; ensures that individuals authorised to process the Personal Data are bound by confidentiality; implements appropriate technical and organisational measures for Personal Data security, as described in Entropia’s Trust Center at https://trust.entropia.io.

Client is solely responsible for determining the purposes, legal basis and lawfulness of the processing, ensuring that Data Subjects are provided with all necessary information.

 

Content storage

  • Data Processed: All Personal Data contained in documents uploaded by Client (may include names, contact details, IDs, signatures, or other sensitive data)
  • Purpose: Store, index, and make content available to Users within the data room.
  • Legal Basis: Contract. Necessary to deliver the service.
  • Data Retention: Mirrors Users’ instructions, deleted or de-indexed immediately when removed by Users, or after data room closure.

Access logs

  • Data Processed: User Names, emails, file access history, usage logs, timestamps.
  • Purpose: Provide audit trails, access control reports, and support regulatory compliance.
  • Legal Basis: Contract. Necessary to deliver the Service
  • Data Retention: Duration of contractual relationship + maximum six (6) months after termination.

Personal Data hosting

Entropia is committed to ensuring the secure and lawful handling of all Personal Data within its custody. This commitment extends to how data is localised and transferred internationally.

  • Primary data hosting: By default, all Personal Data collected by Entropia is hosted by Scaleway SAS, in data centres based in France, with backups within the EU. Scaleway SAS operates with the following Data Processing Agreement : **Scaleway SAS - Data Processing Agreement.**

  • Data transfers: Entropia shall not transfer Personal Data outside the European Economic Area without ensuring that such transfer is carried out in full compliance with Chapter V GDPR and other applicable data protection laws.

    To the extent that the provision of the Services involves the transfer of Personal Data from the European Economic Area (EEA) to a country that does not benefit from an adequacy decision by the European Commission (or the relevant authority, as applicable), the Parties agree that such transfer shall be governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision (EU) 2021/914), which are hereby incorporated by reference into this Agreement. Where required, the Parties will complete the relevant modules of the SCCs as follows:

    • Module 2 (Controller to Processor) applies where Entropia acts as Processor;
    • Module 3 (Processor to Processor) applies where Entropia engages a Sub-Processor.

    For transfers from the United Kingdom, the UK Addendum to the EU SCCs (issued by the UK Information Commissioner’s Office) shall apply. For transfers from Switzerland, the Swiss Addendum to the EU SCCs shall apply.

    The Parties agree that Annexes I and II of the SCCs shall be populated by the information contained in this Agreement.

Personal Data security

Entropia shall implement and maintain state-of-the-art technical and organisational security measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or alteration. These measures are designed in accordance with recognised international standards for information security and are continuously reviewed and improved to address evolving threats.

 

Entropia maintains a SOC 2 Type II certification, demonstrating that its security controls and practices have been independently audited and meet stringent criteria for security, availability, and confidentiality.

 

These measures include, but are not limited to:

  • Encryption of Personal Data in transit and at rest,
  • Role-based access control and multi-factor authentication,
  • Network segmentation and intrusion detection,
  • Logging, monitoring, and alerting for suspicious activities,
  • Formal incident response and breach notification procedures,
  • Regular penetration testing and security assessments by independent third parties.

Further details of Entropia’s security posture, certifications, and compliance reports are available in the Entropia Trust Center at https://trust.entropia.io .

 

Entropia will update the technical and organisational measures described in its Trust Center from time to time, provided that such changes do not reduce the overall level of security.

Entropia ensures that all personnel with access to Personal Data are bound by confidentiality obligations and receive regular data protection and security training.

 

Upon reasonable request and under NDA, Entropia shall make available to Client all information necessary to demonstrate compliance with this DPA, including current SOC 2 Type II reports and other independent audit reports described in the Trust Center. If further information is reasonably required, Client may conduct an on-site audit on thirty (30) days’ notice, during normal business hours, without disrupting Entropia’s operations, and at Client’s cost.

 

Entropia shall notify Client without undue delay after becoming aware of a Personal Data breach affecting Client Personal Data, including details of: (i) the nature of the breach; (ii) categories and approximate number of Data Subjects and records concerned; (iii) likely consequences; and (iv) measures taken or proposed to address the breach.

 

Personal Data access by third parties

To support our business operations and provide the Services, we may share Personal Data with trusted service providers or third parties. These include providers of hosting and cloud infrastructure, information technology services, event management, communication tools (such as email software and newsletter services), advertising and marketing platforms, and web analytics services.

 

These service providers may only access, process, or store personal data pursuant to our instructions and solely to perform their contracted duties. We require such providers to implement appropriate technical and organisational measures to protect Personal Data. Where these providers are located outside the European Economic Area, we ensure that adequate safeguards are in place in accordance with applicable data protection law

 

Subprocessors

  • General authorisation: The Client grants Entropia a general authorisation to engage third-party sub-processors for the hosting and/or processing of Personal Data in connection with the Services.
  • Current sub-processor list: Entropia maintains in its Trust Center a current list of the principal authorised Sub-Processors (https://trust.entropia.io). Additional Sub-Processors may be engaged from time to time.
  • Changes to sub-processors: Entropia may engage new sub-processors or replace existing sub-processors, provided that such engagement does not result in a reduction of the overall level of protection of Personal Data as required by applicable data protection law. Entropia shall inform the Client of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Client the opportunity to object to such changes, within fifteen days.

Note about AI models

Entropia may use automated processing technologies, including machine learning or generative AI models, to deliver functionalities (such as document renaming, classification, translation, summarisation, search or content analysis). In such cases, Entropia processes data room document content, potentially containing Personal Data of Client’s employees or third parties, through AI models.

  • Default location of processing: Such processing is usually performed within Entropia’s own infrastructure with AI models owned and operated by Entropia, to ensure data remains under our direct control. In such cases, no Personal Data is processed by a third party.
  • Occasional external processing: Certain AI model inferences may be executed using external service providers (sub-Processors), via API, to meet operational or performance requirements. (Such providers could be companies like Mistral AI, Open AI, Google, or others.)
  • Safeguards for external processing: Any external Sub-Processor engaged for AI model inference will:
    • Operate under a written Data Processing Agreement that meets or exceeds the GDPR requirements;
    • Implement equivalent or stronger technical and organisational security measures;
    • Process data only within jurisdictions providing an adequate level of data protection (per GDPR adequacy decisions) or subject to appropriate safeguards (e.g., Standard Contractual Clauses).
  • Prohibition on AI model training without consent: No Personal Data will be used to train AI models unless Entropia has obtained the Client’s explicit, prior, written consent, and, where required by applicable law, the consent of the relevant Data Subjects. Any model training conducted by Entropia shall, wherever possible, be performed exclusively on anonymised or aggregated data, in a manner that irreversibly prevents the identification of any individual.

Legal requirements

Entropia may disclose Personal Data when required to do so by law or enforceable governmental request. We may also disclose Personal Data where we reasonably believe it is necessary to (i) comply with legal obligations, including national security or law enforcement requirements, (ii) protect and defend our rights or property, (iii) prevent, detect, or address fraud or other unlawful activity, (iv) protect the safety of Users of the Services or the public, or (v) defend against legal claims or liability.

 

Termination and deletion

  • Upon termination or expiry of the Services, or upon the Client’s earlier written request, Entropia will either return to the Client or securely delete all Personal Data for which the Client is the Controller, including data in backups.
  • Upon the Client’s request, Entropia shall provide written certification that deletion has been completed. Entropia reserves the right to charge reasonable fees for the preparation and delivery of such certification where the effort required exceeds standard administrative measures, subject to prior notice to the Client.
  • Entropia may retain copies of Personal Data where retention is required by applicable law, solely for the period prescribed by such law. Such retained data will remain confidential and will not be processed except as required for legal compliance.

Data Subjects rights

  • Assistance with Requests: Taking into account the nature of the Processing, Entropia shall assist the Client by implementing appropriate technical and organisational measures, insofar as possible, to enable the Client to fulfil its obligations to respond to requests from Data Subjects exercising their rights under Chapter III GDPR.
  • Forwarding Requests: If a Data Subject makes a request directly to Entropia in relation to Personal Data controlled by the Client, Entropia shall promptly forward such request to the Client without undue delay. Entropia shall not respond directly to the Data Subject unless expressly instructed to do so by the Client or required by applicable law.
  • Cooperation with Authorities: Entropia shall promptly cooperate with any competent supervisory authority in connection with the Processing of Client Personal Data under this DPA and shall notify the Client (unless legally prohibited) of any request, inquiry, or measure by a supervisory authority relating to such Processing.