Draft — pending legal review; not yet in force. This document is a working draft prepared for internal review and has not been reviewed or approved by legal counsel. It does not create binding obligations and should not be relied upon until finalized and executed.
Between Avenor SAS (France) and LBMGB LLC (North Carolina, US), acting as joint data controllers, and the platform operator — GDPR Article 28. Draft revision, March 1, 2026.
This Data Processing Agreement (“DPA”) forms part of the agreement between:
“Avenor” and “ARWOS” refer to the platform and product; the legal entities are Avenor SAS and LBMGB LLC. Where this DPA is entered into with a customer organization, that organization may act as an independent or joint controller for the data it uploads, and this DPA governs the roles and responsibilities accordingly.
Subject matter. The Avenor platform — a financial and commerce operating system for brand management — processes Personal Data to provide the service described in the Terms of Service.
Duration. Processing continues for the term of the service agreement between the parties, plus any period required for data deletion or return under Section 3.8.
Nature and purpose of processing:
| Purpose | Description |
|---|---|
| Account management | User authentication, profile storage, session management |
| CRM operations | Client and contact management, deal tracking, pipeline management |
| Financial operations | Invoicing, remittance statements, P&L reporting, expense tracking |
| Analytics | Product usage analytics (with consent), business performance reporting |
| Communication | Email notifications, scheduling, activity tracking |
| File management | Document storage, versioning, sharing between authorized users |
| AI features | AI-assisted reporting, chat, and insights (zero-retention processing) |
Categories of data subjects:
Types of Personal Data:
| Category | Examples |
|---|---|
| Identity data | Full name, email address, profile photo |
| Authentication data | Password hash, OAuth tokens, session identifiers |
| Contact data | Phone number, business address, company name |
| Financial data | Invoice amounts, payment records, commission structures |
| Usage data | Page views, feature usage, session recordings (with consent) |
| Communication data | Meeting notes, email content, activity comments |
| File data | Uploaded documents and their metadata |
Personal Data is processed only on documented instructions, unless required by EU or Member State law. The relevant party informs the other of any such legal requirement before processing, unless prohibited by law.
Persons authorized to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ on all connections |
| Encryption at rest | AES-256 for database and file storage (Supabase managed) |
| Access control | Role-based access control (RBAC), row-level security (RLS), org-scoped isolation |
| Authentication | Multi-factor authentication support, secure session management |
| Credential protection | OAuth tokens encrypted with application-level key |
| Rate limiting | Arcjet rate limiting on all endpoints |
| Error tracking | Sentry error monitoring with PII scrubbing |
| Audit logging | Append-only audit log of all sensitive operations |
| Network security | Vercel edge network, connection pooling, no direct DB exposure |
| Vulnerability management | Dependency scanning, security audit program |
| Data minimization | Zero-retention AI processing, time-limited data export expiry |
No further subprocessor is engaged without prior specific or general written authorization. The current subprocessor list is maintained in Section 4 and available on request. When engaging a subprocessor, the same data protection obligations set out in this DPA are imposed; the engaging party remains fully liable for the subprocessor’s performance; and controllers are notified of intended changes (addition or replacement) with at least 14 days’ notice, during which they may object.
Assistance is provided to fulfill obligations to respond to Data Subject requests:
| Right | Platform implementation |
|---|---|
| Access (Art. 15) | Data export generates a complete JSON of all user data |
| Rectification (Art. 16) | Profile and data editing available in the platform UI |
| Erasure (Art. 17) | Account deletion with a grace period, cascade to subprocessors |
| Portability (Art. 20) | Machine-readable JSON export via background job |
| Restriction (Art. 18) | Account suspension functionality |
| Objection (Art. 21) | Consent withdrawal for analytics/tracking in settings |
Assistance is provided with DPIAs where processing is likely to result in a high risk to Data Subjects, including for AI meeting-transcription processing.
The affected party is notified without undue delay, and in any event within 48 hours of becoming aware of a Personal Data breach. The notification describes the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.
Upon termination of the service agreement, all Personal Data is deleted or returned within 30 days, at the controller’s choice, and existing copies are deleted unless EU or Member State law requires storage. Deletion is certified in writing upon request.
All information necessary to demonstrate compliance with Art. 28 GDPR is made available, and audits (including inspections) are supported. Audits require 30 days’ written notice, are conducted during business hours no more than once per year, and may be satisfied by SOC 2 reports, penetration-test results, or independent third-party audit reports. The controller bears audit costs unless findings reveal material non-compliance.
The following subprocessors are engaged to operate the platform. Each is bound by appropriate data protection agreements, and international transfers rely on the mechanism noted. This list is the single source of truth shared with the Privacy Policy and the internal subprocessor register.
| Subprocessor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, Authentication & File Storage | US (AWS us-east-1) | Standard Contractual Clauses (SCCs) |
| Vercel | Application Hosting & Edge Network | US (AWS), Global CDN | Standard Contractual Clauses (SCCs) |
| Resend | Transactional Email Delivery | US | Standard Contractual Clauses (SCCs) |
| Sentry | Error Tracking & Diagnostics | US | Standard Contractual Clauses (SCCs) |
| PostHog | Product Analytics & Session Recording | EU (Frankfurt) | EU data residency (no transfer) |
| Meilisearch | Full-Text Search | Self-hosted (US) | Standard Contractual Clauses (SCCs) |
| Upstash | Redis Cache & Rate Limiting | US | Standard Contractual Clauses (SCCs) |
| Anthropic | AI Processing (Claude API) | US | Standard Contractual Clauses (SCCs) |
| Inngest | Background Jobs & Workflow Automation | US | Standard Contractual Clauses (SCCs) |
| Arcjet | Rate Limiting & Bot Protection | US | Standard Contractual Clauses (SCCs) |
| Trigger.dev | Workflow Orchestration | US / EU | Standard Contractual Clauses (SCCs) |
Last updated: March 1, 2026
Where subprocessors process data outside the EU/EEA, transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), and by adequacy decisions where applicable. Supplementary measures include encryption of data in transit and at rest, zero-retention configuration for AI processing, minimal data in background-job payloads, and pseudonymization where feasible.
Liability under this DPA is subject to the limitations set out in the Terms of Service and any applicable service agreement. Each party indemnifies the other for losses arising from its breach of this DPA or its GDPR obligations, to the extent attributable to that party.
This DPA is effective from its effective date and remains in force for the duration of the service agreement. Obligations regarding data deletion, confidentiality, and cooperation with supervisory authorities survive termination. As Avenor SAS and LBMGB LLC act as joint controllers across France and the United States, the governing law and forum for a given dispute follow the entity and jurisdiction most closely connected to the processing at issue — French law for processing under Avenor SAS, and the law of the State of North Carolina for processing under LBMGB LLC — subject to any mandatory rights of Data Subjects under applicable data protection law.
For DPA execution, data protection questions, or to request the current subprocessor register:
Avenor SAS (France) · LBMGB LLC (North Carolina, US)
Email: privacy@avenor-na.com
Related: subprocessor register
This DPA is a draft designed for GDPR Article 28 compliance and must be reviewed by legal counsel before execution. Both parties should consult independent legal advice.