Draft — pending legal review; not yet in force. This document is a working draft prepared for internal review and has not been reviewed or approved by legal counsel. It does not create binding obligations and should not be relied upon until finalized and executed.

Data Processing Agreement

Between Avenor SAS (France) and LBMGB LLC (North Carolina, US), acting as joint data controllers, and the platform operator — GDPR Article 28. Draft revision, March 1, 2026.

Parties

This Data Processing Agreement (“DPA”) forms part of the agreement between:

  • Data Controllers (joint): Avenor SAS, a company incorporated in France, and LBMGB LLC, a limited liability company incorporated in North Carolina, United States, acting together as joint controllers of personal data processed through the Avenor platform (“the Controllers”, “we”, or “us”).
  • Data Processor / Subprocessors: the third-party service providers engaged to process personal data on the Controllers’ behalf, as listed in Section 4 below.

“Avenor” and “ARWOS” refer to the platform and product; the legal entities are Avenor SAS and LBMGB LLC. Where this DPA is entered into with a customer organization, that organization may act as an independent or joint controller for the data it uploads, and this DPA governs the roles and responsibilities accordingly.

1. Definitions

  • Personal Data. Any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
  • Processing. Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction (Art. 4(2) GDPR).
  • Data Subject. The identified or identifiable natural person to whom Personal Data relates.
  • Subprocessor. A third party engaged to process Personal Data on behalf of the Controllers.
  • Supervisory Authority. An independent public authority responsible for monitoring GDPR application (Art. 4(21) GDPR).

2. Scope, Nature & Duration of Processing

Subject matter. The Avenor platform — a financial and commerce operating system for brand management — processes Personal Data to provide the service described in the Terms of Service.

Duration. Processing continues for the term of the service agreement between the parties, plus any period required for data deletion or return under Section 3.8.

Nature and purpose of processing:

PurposeDescription
Account managementUser authentication, profile storage, session management
CRM operationsClient and contact management, deal tracking, pipeline management
Financial operationsInvoicing, remittance statements, P&L reporting, expense tracking
AnalyticsProduct usage analytics (with consent), business performance reporting
CommunicationEmail notifications, scheduling, activity tracking
File managementDocument storage, versioning, sharing between authorized users
AI featuresAI-assisted reporting, chat, and insights (zero-retention processing)

2a. Categories of Data Subjects & Personal Data

Categories of data subjects:

  • The Controllers’ and customers’ employees and team members
  • The Controllers’ and customers’ clients and brand contacts
  • End customers (aggregated e-commerce data)

Types of Personal Data:

CategoryExamples
Identity dataFull name, email address, profile photo
Authentication dataPassword hash, OAuth tokens, session identifiers
Contact dataPhone number, business address, company name
Financial dataInvoice amounts, payment records, commission structures
Usage dataPage views, feature usage, session recordings (with consent)
Communication dataMeeting notes, email content, activity comments
File dataUploaded documents and their metadata

3. Processor Obligations (Art. 28 GDPR)

3.1 Lawful processing

Personal Data is processed only on documented instructions, unless required by EU or Member State law. The relevant party informs the other of any such legal requirement before processing, unless prohibited by law.

3.2 Confidentiality

Persons authorized to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security measures (Art. 32 GDPR)

MeasureImplementation
Encryption in transitTLS 1.2+ on all connections
Encryption at restAES-256 for database and file storage (Supabase managed)
Access controlRole-based access control (RBAC), row-level security (RLS), org-scoped isolation
AuthenticationMulti-factor authentication support, secure session management
Credential protectionOAuth tokens encrypted with application-level key
Rate limitingArcjet rate limiting on all endpoints
Error trackingSentry error monitoring with PII scrubbing
Audit loggingAppend-only audit log of all sensitive operations
Network securityVercel edge network, connection pooling, no direct DB exposure
Vulnerability managementDependency scanning, security audit program
Data minimizationZero-retention AI processing, time-limited data export expiry

3.4 Subprocessors

No further subprocessor is engaged without prior specific or general written authorization. The current subprocessor list is maintained in Section 4 and available on request. When engaging a subprocessor, the same data protection obligations set out in this DPA are imposed; the engaging party remains fully liable for the subprocessor’s performance; and controllers are notified of intended changes (addition or replacement) with at least 14 days’ notice, during which they may object.

3.5 Data-subject rights (Art. 12–22 GDPR)

Assistance is provided to fulfill obligations to respond to Data Subject requests:

RightPlatform implementation
Access (Art. 15)Data export generates a complete JSON of all user data
Rectification (Art. 16)Profile and data editing available in the platform UI
Erasure (Art. 17)Account deletion with a grace period, cascade to subprocessors
Portability (Art. 20)Machine-readable JSON export via background job
Restriction (Art. 18)Account suspension functionality
Objection (Art. 21)Consent withdrawal for analytics/tracking in settings

3.6 Data protection impact assessments

Assistance is provided with DPIAs where processing is likely to result in a high risk to Data Subjects, including for AI meeting-transcription processing.

3.7 Breach notification (Art. 33–34 GDPR)

The affected party is notified without undue delay, and in any event within 48 hours of becoming aware of a Personal Data breach. The notification describes the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.

3.8 Deletion or return of data

Upon termination of the service agreement, all Personal Data is deleted or returned within 30 days, at the controller’s choice, and existing copies are deleted unless EU or Member State law requires storage. Deletion is certified in writing upon request.

3.9 Audit rights

All information necessary to demonstrate compliance with Art. 28 GDPR is made available, and audits (including inspections) are supported. Audits require 30 days’ written notice, are conducted during business hours no more than once per year, and may be satisfied by SOC 2 reports, penetration-test results, or independent third-party audit reports. The controller bears audit costs unless findings reveal material non-compliance.

4. Subprocessors

The following subprocessors are engaged to operate the platform. Each is bound by appropriate data protection agreements, and international transfers rely on the mechanism noted. This list is the single source of truth shared with the Privacy Policy and the internal subprocessor register.

SubprocessorPurposeLocationTransfer mechanism
SupabaseDatabase, Authentication & File StorageUS (AWS us-east-1)Standard Contractual Clauses (SCCs)
VercelApplication Hosting & Edge NetworkUS (AWS), Global CDNStandard Contractual Clauses (SCCs)
ResendTransactional Email DeliveryUSStandard Contractual Clauses (SCCs)
SentryError Tracking & DiagnosticsUSStandard Contractual Clauses (SCCs)
PostHogProduct Analytics & Session RecordingEU (Frankfurt)EU data residency (no transfer)
MeilisearchFull-Text SearchSelf-hosted (US)Standard Contractual Clauses (SCCs)
UpstashRedis Cache & Rate LimitingUSStandard Contractual Clauses (SCCs)
AnthropicAI Processing (Claude API)USStandard Contractual Clauses (SCCs)
InngestBackground Jobs & Workflow AutomationUSStandard Contractual Clauses (SCCs)
ArcjetRate Limiting & Bot ProtectionUSStandard Contractual Clauses (SCCs)
Trigger.devWorkflow OrchestrationUS / EUStandard Contractual Clauses (SCCs)

Last updated: March 1, 2026

5. International Data Transfers (Art. 44–49 GDPR)

Where subprocessors process data outside the EU/EEA, transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), and by adequacy decisions where applicable. Supplementary measures include encryption of data in transit and at rest, zero-retention configuration for AI processing, minimal data in background-job payloads, and pseudonymization where feasible.

6. Liability & Indemnification

Liability under this DPA is subject to the limitations set out in the Terms of Service and any applicable service agreement. Each party indemnifies the other for losses arising from its breach of this DPA or its GDPR obligations, to the extent attributable to that party.

7. Term & Governing Law

This DPA is effective from its effective date and remains in force for the duration of the service agreement. Obligations regarding data deletion, confidentiality, and cooperation with supervisory authorities survive termination. As Avenor SAS and LBMGB LLC act as joint controllers across France and the United States, the governing law and forum for a given dispute follow the entity and jurisdiction most closely connected to the processing at issue — French law for processing under Avenor SAS, and the law of the State of North Carolina for processing under LBMGB LLC — subject to any mandatory rights of Data Subjects under applicable data protection law.

8. Contact

For DPA execution, data protection questions, or to request the current subprocessor register:

Avenor SAS (France) · LBMGB LLC (North Carolina, US)

Email: privacy@avenor-na.com

Related: subprocessor register

This DPA is a draft designed for GDPR Article 28 compliance and must be reviewed by legal counsel before execution. Both parties should consult independent legal advice.