Skip to content

Data Processing Agreement

Last update : August 31st, 2025


Scope of the DPA

This Data Processing Agreement (“DPA”) forms part of the Agreement between Entropia, S.A.S., registered in Versailles, France (RCS No. 980705016) (“Entropia”), and the Client. It applies to the use of Entropia’s data room Solution and related Services, and governs the processing of Personal Data in two contexts: 

  • As Data Controller: when Entropia collects and processes Personal Data to operate Services (e.g., User authentication, usage analytics, support tickets).
  • As Data Processor: when Entropia processes Personal Data contained in documents uploaded by the Client into the Solution, or User access logs.

All obligations regarding non-personal data are governed by the Terms of Use. In the event of any conflict between this DPA and other parts of the Agreement with respect to the subject matter of Personal Data protection, this DPA shall prevail. This Agreement remains in force for as long as Entropia processes Personal Data on behalf of the Client.

Definitions

For the purposes of this DPA:

  • “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, and “Supervisory Authority” shall have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
  • “Subprocessor” means any third party engaged by Entropia for the processing of Personal Data on behalf of the Client.

Categories of Data Subjects : 

  • Users invited to the data room,
  • Individuals identified in uploaded documents,
  • Client or 3rd party personnel.

Personal Data Processing where Entropia acts as Data Controller

For these activities, Entropia is an independent Controller and determines the purposes and means of processing. Data Subjects may exercise their GDPR rights directly with Entropia.

 

Authentication

  • Data Processed: User credentials (email, password), authentication cookies.
  • Purpose: Authenticate users accessing the Services.
  • Legal Basis: Contract. Necessary to deliver the Services & safeguard access.
  • Data Retention: Duration of contractual relationship + min. 14 days.
  • Consent: Explicit consent at login.

User engagement tracking

  • Data Processed: IP addresses, Cookies, device/browser info, pages visited, session duration, clicks.
  • Purpose: Security, analyse Solution usage, provide and improve Services, marketing.
  • Legal Basis: Consent
  • Data Retention: 12 months.
  • Consent: Consent via cookie banner.

Support tickets handling

  • Data Processed: Name, email, company, job title, phone number, message content.
  • Purpose: Respond to enquiries.
  • Legal Basis: Contract & legitimate interest.
  • Data Retention: 2 years from last interaction.
  • Consent: Explicit consent before submitting form.

 

Personal Data Processing where Entropia acts as Data Processor

For these activities, Entropia:

  • Processes Personal Data only on documented instructions from the Client,
  • Ensures that persons authorised to process the data are bound by confidentiality,
  • Implements appropriate technical and organisational measures for data security.

Client is solely responsible for determining the lawfulness of the processing, ensuring that Data Subjects are provided with all necessary information, and obtaining any required consents.

 

Document Storage & Indexing

  • Data Processed: All Personal Data contained in documents uploaded by Customer (may include names, contact details, IDs, signatures, or other sensitive data)
  • Purpose: Store, index, and make content available to Authorised Users within the Data room.
  • Legal Basis: Contract. Necessary to deliver the service.
  • Data Retention: Mirrors Authorised Users’ instructions, deleted or de-indexed immediately when removed by Users, or after data room closure.

Access Logs

  • Data Processed: User Names, emails, file access history, usage logs, timestamps.
  • Purpose: Provide audit trails, access control reports, and support regulatory compliance.
  • Legal Basis: Contract. Necessary to deliver the Service?
  • Data Retention: Duration of contractual relationship.

 

Personal Data Hosting

Entropia is committed to ensuring the secure and lawful handling of all Personal Data within its custody. This commitment extends to how data is localised and transferred internationally.
  • Primary data hosting: By default, all Personal Data collected by Entropia is hosted by Scaleway SAS, in data centres based in France, with backups within the EU. Scaleway SAS operates with the following Data Processing Agreement (link).
  • Where Entropia acts as a Controller, Scaleway operates as a Processor; where Entropia acts as a Processor, Scaleway is a Sub-Processor.

International Personal Data Transfers

Entropia shall not transfer Personal Data outside the European Economic Area without ensuring that such transfer is carried out in full compliance with Chapter V GDPR and other applicable data protection laws.

 

To the extent that the provision of the Services involves the transfer of Personal Data from the European Economic Area (EEA), Switzerland, or the United Kingdom to a country that does not benefit from an adequacy decision by the European Commission (or the relevant authority, as applicable), the Parties agree that such transfer shall be governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision (EU) 2021/914), which are hereby incorporated by reference into this Agreement.

 

Where required, the Parties will complete the relevant modules of the SCCs as follows:

  • Module 2 (Controller to Processor) applies where Entropia acts as Processor.
  • Module 3 (Processor to Processor) applies where Entropia engages a Sub-Processor.
For transfers from the United Kingdom, the UK Addendum to the EU SCCs (issued by the UK Information Commissioner’s Office) shall apply. For transfers from Switzerland, the Swiss Addendum to the EU SCCs shall apply.

The Parties agree that Annexes I and II of the SCCs shall be populated by the information contained in this Agreement, the Data Processing Agreement, and the Entropia Trust Center.

Personal Data Minimisation

Entropia shall ensure that Personal Data processed is adequate, relevant, and limited to what is necessary for the purposes described in this DPA. No excessive or unrelated Personal Data shall be collected or stored.

 

Personal Data Security

Entropia shall implement and maintain state-of-the-art technical and organisational security measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or alteration. These measures are designed in accordance with recognised international standards for information security and are continuously reviewed and improved to address evolving threats.


Entropia maintains a SOC2 Type II certification, demonstrating that its security controls and practices have been independently audited and meet stringent criteria for security, availability, and confidentiality.  These measures include, but are not limited to:

  • Encryption of Personal Data in transit and at rest,
  • Role-based access control and multi-factor authentication,
  • Network segmentation and intrusion detection,
  • Logging, monitoring, and alerting for suspicious activities,
  • Formal incident response and breach notification procedures,
  • Regular penetration testing and security assessments by independent third parties.

Further details of Entropia’s security posture, certifications, and compliance reports are available in the Entropia Trust Center.

 

Entropia will update the technical and organisational measures described in its Trust Center from time to time, provided that such changes do not reduce the overall level of security. Entropia ensures that all personnel with access to Personal Data are bound by confidentiality obligations and receive regular data protection and security training.

 

Upon reasonable request and under NDA, Entropia shall make available to Client all information necessary to demonstrate compliance with this DPA, including current SOC 2 Type II reports and other independent audit reports described in the Trust Center. If further information is reasonably required, Client may conduct an on-site audit on thirty (30) days’ notice, during normal business hours, without disrupting Entropia’s operations, and at Client’s cost.

 

Entropia shall notify Client without undue delay after becoming aware of a Personal Data breach affecting Client Personal Data, including details of: (i) the nature of the breach; (ii) categories and approximate number of Data Subjects and records concerned; (iii) likely consequences; and (iv) measures taken or proposed to address the breach. 

 

Personal Data Access by Third Parties

To support our business operations and provide the Services, we may share Personal Data with trusted service providers or third parties. These include providers of hosting and cloud infrastructure, information technology services, event management, communication tools (such as email software and newsletter services), advertising and marketing platforms, and web analytics services.

 

These service providers may only access, process, or store personal data pursuant to our instructions and solely to perform their contracted duties. We require such providers to implement appropriate technical and organisational measures to protect personal data. Where these providers are located outside the European Economic Area, we ensure that adequate safeguards are in place in accordance with applicable data protection laws.

 

Subprocessors

  • General authorisation: The Client grants Entropia a general authorisation to engage third-party sub-processors for the hosting and/or processing of Personal Data in connection with the Services.
  • Current subprocessor list: Entropia maintains in its Trust Center a current list of the principal authorised Sub-Processors. Additional Sub-Processors may be engaged from time to time.
  • Changes to subprocessors: Entropia may engage new sub-processors or replace existing sub-processors at its sole discretion, provided that such engagement does not result in a reduction of the overall level of protection of Personal Data as required by applicable data protection law.

 

Artificial Intelligence Models

Entropia may use automated processing technologies, including machine learning or generative AI models, to deliver functionalities (such as document renaming, classification, translation, summarisation, search or content analysis). In such cases, Entropia processes data room document content, potentially containing Personal Data of Client’s employees or third parties, through AI models.

 

  • Default location of processing: Such processing is usually performed within Entropia’s own infrastructure with AI models owned and operated by Entropia, to ensure data remains under our direct control. In such cases, no Personal Data is processed by a third party.
  • Occasional external processing: Certain AI model inferences may be executed using external service providers (sub-Processors), via API, to meet operational or performance requirements. (Such providers could be companies like Mistral AI, Open AI, Google, or others.)
  • Safeguards for external processing: Any external Sub-Processor engaged for AI model inference will:
    • Operate under a written Data Processing Agreement that meets or exceeds the GDPR requirements;
    • Implement equivalent or stronger technical and organisational security measures,
    • Process data only within jurisdictions providing an adequate level of data protection (per GDPR adequacy decisions) or subject to appropriate safeguards (e.g., Standard Contractual Clauses).
  • Prohibition on AI model training without consent: No Personal Data will be used to train AI models unless Entropia has obtained the Client’s explicit, prior, written consent, and, where required by applicable law, the consent of the relevant Data Subjects. Any model training conducted by Entropia shall, wherever possible, be performed exclusively on anonymised or aggregated data, in a manner that irreversibly prevents the identification of any individual.

Other third parties

  • Affiliates: Entropia may share Personal Data with other entities within the Entropia corporate group.
  • Business changes: If Entropia undergoes a strategic transaction such as a merger, acquisition, sale of assets, reorganisation, liquidation, or a transition of service to another provider, Personal Data may be disclosed during the due diligence process to counterparties and their advisors, and may be transferred as part of the business assets to a successor entity or affiliate. Any successor to our business will be bound by obligations consistent with this Data Processing Agreement to ensure the continued protection of Personal Data.
  • Legal Requirements: Entropia may disclose Personal Data when required to do so by law, regulation, legal process, or enforceable governmental request. We may also disclose Personal Data where we reasonably believe it is necessary to (i) comply with legal obligations, including national security or law enforcement requirements, (ii) protect and defend our rights or property, (iii) prevent, detect, or address fraud or other unlawful activity, (iv) protect the safety of Users of the Services or the public, or (v) defend against legal claims or liability.

Termination & Deletion

  • Upon termination or expiry of the Services, or upon the Client’s earlier written request, Entropia will either return to the Client or securely delete all Personal Data for which the Client is the Controller, including data in backups. 
  • Upon the Client’s request, Entropia shall provide written certification that deletion has been completed.
  • Entropia may retain copies of Personal Data where retention is required by applicable law, solely for the period prescribed by such law. Such retained data will remain confidential and will not be processed except as required for legal compliance.
  • Personal Data linked to individual User accounts (emails and basic User information) will be retained until those Users delete their accounts or request deletion in accordance with applicable law.

Data Subject Rights

Each party remains liable to data subjects under Article 82 GDPR. As between the parties, liability is otherwise governed by the Agreement.
In accordance with the General Data Protection Regulation (GDPR), Entropia recognises and upholds the following rights of Data Subjects:

  • Right to Be Informed: Data subjects have the right to be provided with clear, transparent, and easily understandable information about how their personal data is used and their rights. This includes the necessity for providing information through this privacy policy and at the point of personal data collection.
  • Right of Access: Data subjects have the right to access their personal data processed by Entropia. This includes the right to obtain confirmation of whether or not personal data concerning them is being processed, access to the personal data, and other supplementary information akin to that provided in this privacy policy.
  • Right to Rectification: Data subjects have the right to have inaccurate personal data rectified, or completed if it is incomplete. Entropia commits to prompt action upon receiving rectification requests. Right to Erasure (‘Right to Be Forgotten’): Data subjects have the right to have personal data erased under certain conditions, such as when the personal data is no longer necessary for the original purpose, or when the data subject withdraws consent.
  • Right to Restrict Processing: Data subjects have rights to 'block' or suppress further use of their personal data in certain circumstances, such as when the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of that data.
  • Right to Data Portability: Data subjects have the right to receive personal data they have provided to Entropia in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance, where technically feasible.
  • Right to Object: Data subjects have the right to object to the processing of personal data for purposes of direct marketing, scientific/historical research, or statistical analysis, except where the processing is necessary for the performance of a public interest task or exercise of official authority.
  • Rights Related to Automated Decision Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless necessary for entering into, or performance of, a contract between the data subject and a data controller, or based on the data subject’s explicit consent.

Exercising Data Subjects’ rights:

 

  • Data Subjects may exercise their rights by contacting Entropia’s Data Protection Officer (DPO) through the provided contact details. Entropia is committed to addressing any requests or concerns promptly and within the timeframe stipulated by GDPR.
  • If a Data Subject contacts Entropia directly with a request relating to Personal Data controlled by the Client, Entropia shall promptly forward the request to Client to allow Client to respond.
  • Entropia shall promptly cooperate with any competent supervisory authority in relation to this DPA, and shall notify Client (unless legally prohibited) of any request or measure by a supervisory authority relating to Client Personal Data.

Data Protection Officer

Entropia has put processes and people in place to ensure compliance with GDPR. Pierre Dulac, co-founder and CTO, was named Data Protection Officer to monitor compliance and act as contact point for data subjects, or authorities. For any inquiry, please contact privacy@entropia.io.