Legal

Data Processing Agreement

Last updated April 2026

This Data Processing Agreement (the "DPA") is entered into between:

  • Perspective Analytics SAS, a société par actions simplifiée with a share capital of EUR 210,000, registered in France under RCS Saint-Nazaire 988 270 757, with registered office at 2 rue du Général de Gaulle, 44290 Guémené-Penfao, France ("nocert"); and
  • the Customer, as identified in the Customer's account on the Service.

Both parties together constitute the "Parties". The DPA forms an integral part of the Terms of Service published at nocert.io/terms (the "Terms") and is deemed accepted by the Customer at the same time as the Terms, through a distinct acceptance checkbox, in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR").

This DPA governs the processing of Personal Data carried out by nocert on behalf of the Customer in the course of providing the Service. It supplements the Terms and supersedes them in respect of any matter relating to the protection of Personal Data.

Effective date: the date of acceptance of the Terms by the Customer.

1. Definitions

Capitalised terms not defined in this DPA have the meaning given in the Terms. For the purposes of this DPA:

  • Applicable Data Protection Law — the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the French Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés as amended (the "Loi Informatique et Libertés"), and any other data-protection law of the European Union or its Member States applicable to a Party.
  • Customer Personal Data — Personal Data within the Customer Data (as defined in the Terms) processed by nocert on behalf of the Customer in the course of providing the Service.
  • Personal Data, Processing, Controller, Processor, Data Subject, Personal Data Breach, Special Categories of Personal Data, Supervisory Authority — have the meaning given in Article 4 of the GDPR.
  • Sub-processor — a third party engaged by nocert to process Customer Personal Data on its behalf, listed in Annex III.
  • EU SCCs — the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • UK Addendum — the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018.
  • DPF — the EU-US Data Privacy Framework established by Commission Implementing Decision (EU) 2023/1795 of 10 July 2023.
  • TIA — Transfer Impact Assessment, as recommended by EDPB Recommendations 01/2020.
  • TOMs — Technical and Organisational Measures within the meaning of Article 32 of the GDPR, set out in Annex II.

2. Subject Matter, Scope, Duration, and Relationship to the Terms

Subject matter and nature of the processing. nocert processes Customer Personal Data on behalf of the Customer for the sole purpose of providing the Service, namely: discovery, monitoring, and alerting on TLS certificates; compliance scoring; reporting; user authentication; audit logging; and the operation of the Sentinel agent on Customer premises (described in Annex IV).

Categories of Personal Data, categories of Data Subjects, and duration — set out in detail in Annex I.

Duration. This DPA enters into force on its Effective Date and remains in force for as long as nocert processes Customer Personal Data on behalf of the Customer, including during any post-termination read-only or backup retention period defined in the Terms.

Relationship to the Terms. This DPA forms an integral part of the contractual relationship established by the Terms. In the event of conflict on a matter relating to Personal Data:

  1. the EU SCCs prevail over this DPA;
  2. this DPA prevails over the Terms;
  3. the Terms prevail over any other documentation.

3. Roles of the Parties

Customer as Controller. The Customer determines the purposes and the essential means of the processing of Customer Personal Data carried out via the Service. The Customer acts as Controller within the meaning of Article 4(7) of the GDPR.

nocert as Processor. nocert processes Customer Personal Data exclusively on behalf of the Customer and on the Customer's documented instructions, as set out in Section 4. nocert acts as Processor within the meaning of Article 4(8) of the GDPR.

Sentinel agent. The Sentinel agent (defined in the Terms) is a component of the Service and is part of nocert's processing activity as Processor. Annex IV describes the Sentinel processing in detail, including the categories of data collected, egress destinations, integrity guarantees, and the allocation of operational responsibility between the Parties.

Separate Controller characterisation for aggregates and threat intelligence. Processing of anonymised or aggregated data derived from Customer Personal Data for the purposes of product improvement or sectoral threat intelligence falls outside the scope of this DPA. Before any such processing, nocert conducts and documents a re-identification risk assessment following the CNIL and former Article 29 Working Party methodology (singling-out, linkability, inference).

Where the resulting data still constitutes Personal Data after anonymisation, nocert acts as an independent Controller for that processing and assumes the corresponding obligations under Articles 13 and 14 of the GDPR. The information required by Articles 13 and 14 is provided through nocert's Privacy Policy at nocert.io/privacy, which includes a dedicated section on threat-intelligence and product-improvement processing.

For the avoidance of doubt, this processing is subject to the prohibition of AI and machine-learning model training set out in Section 11 of the Terms.

Excluded processing. This DPA does not cover processing of Personal Data for which nocert acts as Controller in its own capacity (in particular: Customer's account contact details, billing information, usage logs of the platform). Such processing is governed by nocert's Privacy Policy at nocert.io/privacy.

4. Customer's Documented Instructions

Documented instructions. nocert shall process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which nocert is subject.

The Customer's documented instructions consist of:

  • the Terms and this DPA;
  • the configuration of the Service made by the Customer through the platform interface or the API (including the addition or removal of monitoring targets, alerting rules, sub-account permissions, etc.);
  • the deployment and configuration of the Sentinel agent by the Customer on its own infrastructure;
  • any specific instruction given in writing to nocert by an authorised representative of the Customer.

Notification of unlawful instructions. If nocert considers that an instruction infringes Applicable Data Protection Law, it shall inform the Customer immediately, and may suspend the execution of the instruction until it is confirmed, modified, or withdrawn by the Customer.

Legal obligations. Where Union or Member State law requires nocert to process Customer Personal Data otherwise than on the Customer's instructions, nocert shall inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

5. Confidentiality of Personnel

nocert ensures that persons authorised to process Customer Personal Data:

  • have committed themselves to confidentiality, either through their employment contract, an internal confidentiality policy, or a separate non-disclosure agreement, with obligations surviving the termination of their relationship with nocert;
  • access Customer Personal Data on a need-to-know basis, in proportion to the tasks they perform;
  • have received appropriate training on data protection and on nocert's internal security policies;
  • are subject to access revocation without undue delay — and, for access to production systems containing Customer Personal Data, within a commercially reasonable period having regard to the nature of the access and the circumstances of the termination or of the cessation of need — following the termination of their relationship with nocert or the cessation of their need to access Customer Personal Data.

6. Security of Processing

Article 32 GDPR. nocert implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

TOMs. The technical and organisational measures implemented by nocert are described in Annex II. nocert may update Annex II from time to time, provided that the level of protection is not materially diminished. Material modifications are notified to the Customer in accordance with the modification regime of the Terms.

Pseudonymisation and encryption. Where appropriate, nocert pseudonymises and encrypts Personal Data, in particular by encrypting sensitive fields at rest and by enforcing TLS 1.3 in transit.

Confidentiality, integrity, availability, resilience. nocert implements measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, in proportion to nocert's resources and the nature of the Service.

Restoration. nocert maintains the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident, in accordance with the backup and retention regime described in Annex II.

Testing and review. nocert performs internal security testing as part of its development and release cycle. Independent third-party security assessments are performed on a frequency aligned with nocert's resources; their summary results are made available to the Customer under non-disclosure agreement where they exist. nocert does not commit to a fixed third-party assessment frequency.

7. Personal Data Breach

Notification by nocert to the Customer. In the event of a Personal Data Breach affecting Customer Personal Data, nocert shall notify the Customer without undue delay after becoming aware of the Breach, and in any event within forty-eight (48) hours after becoming aware of the Breach, by email to the technical and privacy contact addresses registered on the Customer account. For the purposes of this Section, "becoming aware" means the moment at which nocert has a reasonable degree of certainty that a security incident has occurred that has led to Customer Personal Data being compromised, in accordance with EDPB Guidelines 9/2022 on personal data breach notification under the GDPR. Notification may be phased: an initial alert upon awareness, intermediate updates as investigation progresses, and a final notification once the facts are confirmed, in accordance with the same Guidelines.

Content of the notification. The notification shall include, to the extent available at the time of notification:

  • a description of the nature of the Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • the name and contact details of the nocert privacy contact ([email protected]) where more information can be obtained;
  • the likely consequences of the Breach;
  • the measures taken or proposed to address the Breach and to mitigate its possible adverse effects.

Customer-side breaches. Personal Data Breaches originating from the Customer's own infrastructure (including a compromised Sentinel host or misconfigured deployment under the Customer's responsibility as set out in Annex IV.E) are the Customer's breach to notify as Controller; nocert shall cooperate in investigation and remediation as reasonably required.

Cooperation. nocert assists the Customer, taking into account the nature of processing and the information available to nocert, in fulfilling the Customer's obligations under Articles 33 and 34 of the GDPR, including the Customer's notification to its competent Supervisory Authority and, where applicable, communication to affected Data Subjects.

Documentation. nocert documents Personal Data Breaches affecting Customer Personal Data, including the facts, effects, and remedial actions taken.

8. Sub-processors

General authorisation. The Customer grants nocert a general written authorisation to engage Sub-processors to perform specific processing activities on its behalf, subject to the conditions set out in this Section.

Initial list. The list of Sub-processors authorised at the date of acceptance of this DPA is set out in Annex III. The up-to-date list is maintained at nocert.io/dpa/subprocessors with version history.

Notification of changes. nocert shall notify Customers on a paid Plan of any intended addition or replacement of a Sub-processor at least thirty (30) calendar days before the new Sub-processor begins processing Customer Personal Data. Notification is made by email to the address registered on the Customer account or through the in-platform notification system. Trial Customers are not individually notified, without prejudice to their access to the up-to-date list at nocert.io/dpa/subprocessors.

Right to object. The Customer may object to the addition or replacement of a Sub-processor for legitimate reasons relating to data protection, by written notice to [email protected] within thirty (30) days of the notification.

Resolution. The Parties shall discuss the objection in good faith. If the Parties do not reach a resolution within thirty (30) days of the objection, the Customer may terminate the affected Service by written notice and obtain a pro-rata refund of any fees paid in advance for the period during which the affected Service is no longer used.

Effect of an objection on deployment. Where the Customer raises a timely objection under this Section, nocert shall not commence Customer Personal Data processing by the new or replacement Sub-processor in respect of that Customer's data until the earlier of (i) the resolution of the objection in good faith between the Parties, (ii) the lapse of the 30-day discussion period without resolution, or (iii) termination by the Customer under this Section. This suspensive effect does not apply to Emergency Replacement under the paragraph below.

Cascading obligations. When engaging a Sub-processor, nocert shall impose on it, by way of contract, the same data protection obligations as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures, in accordance with Article 28(4) of the GDPR. nocert remains fully liable to the Customer for the performance of the Sub-processor's obligations.

Sub-sub-processors — chain visibility. In accordance with EDPB Opinion 22/2024 on processors and sub-processors, where a Sub-processor itself engages further sub-processors with access to Customer Personal Data, nocert shall, on reasonable written request by the Customer, provide the list maintained by that Sub-processor, to the extent that such list is publicly available or obtainable under nocert's contract with the Sub-processor.

Emergency replacement. Where a Sub-processor must be replaced urgently for reasons of force majeure, security, or continuity of service, nocert may proceed to the replacement and inform the Customer as soon as possible thereafter. The retroactive right of objection set out above remains available for thirty (30) days from such notification.

9. International Data Transfers

EU/EEA primary hosting. Customer Personal Data is hosted and processed primarily within the European Economic Area, on the infrastructure of OVHcloud SAS in France. nocert does not transfer Customer Personal Data outside the EEA except as described in this Section.

Limited transfers via Sub-processors. Certain Sub-processors listed in Annex III (notably Stripe, Inc., Cloudflare, Inc., Google LLC as operator of Google Workspace, Mailgun/Sinch, and AWS SES) are established outside the EEA or may process limited Personal Data outside the EEA in the course of their services. For such transfers, nocert relies on the following safeguards, as applicable:

  • the EU Standard Contractual Clauses 2021/914, Module 2 (Controller to Processor) or Module 3 (Processor to Sub-processor), incorporated by reference into the Sub-processor's own data processing agreement and through Annex V to this DPA;
  • where applicable, the UK Addendum to the EU SCCs issued by the UK Information Commissioner's Office for transfers concerning UK Data Subjects; the Parties acknowledge that the UK Data (Use and Access) Act 2025 introduced a modified UK "data protection test" applicable to international transfers, and nocert maintains its UK transfer regime aligned with current ICO guidance under that test;
  • where the Sub-processor is certified under the EU-US Data Privacy Framework, that certification as an additional safeguard;
  • a Transfer Impact Assessment maintained on file by nocert for each transfer concerned, in accordance with EDPB Recommendations 01/2020 and the CNIL Practical TIA Guide.

Substitution of transfer mechanism. In the event that one of the above mechanisms ceases to be valid (in particular following a court decision invalidating an adequacy decision or the EU SCCs):

  • nocert shall, without undue delay, conduct a new TIA for each affected transfer and notify the Customer of the affected transfers and the proposed remediation path;
  • nocert shall implement an equivalent substitute mechanism as soon as reasonably practicable, taking into account the time required by competent EU authorities and Sub-processors to make an equivalent mechanism available, and document any supplementary technical, contractual, or organisational measures required;
  • pending substitution, the Customer may request the suspension of the affected transfers by written notice to [email protected], and nocert shall implement the suspension without undue delay;
  • the mere substitution of the transfer mechanism or the addition of supplementary measures does not constitute a modification of this DPA requiring notice under Section 17 of the Terms, provided that the level of protection for Data Subjects is not materially diminished.

10. Audit and Information Rights

Information. nocert shall make available to the Customer all information necessary to demonstrate compliance with Article 28 of the GDPR and with this DPA, in accordance with Article 28(3)(h) of the GDPR.

Standard means of audit. The Customer's right to audit, in accordance with Article 28(3)(h), is exercised through the following means, in this order of priority:

  1. Documentary review — nocert provides, on reasonable written request, the up-to-date version of Annex II (TOMs), Annex III (Sub-processors), the description of the Service architecture, the security policies in force, and any independent assessment summary that nocert has commissioned and may share under non-disclosure agreement.
  2. Written questionnaires — nocert responds, within thirty (30) calendar days of receipt, to a reasonable written security questionnaire submitted by the Customer. One (1) such questionnaire per twelve (12) month period is provided free of charge. An additional questionnaire may be submitted at no charge in case of: (i) a material change to the Service, (ii) the addition of a Sub-processor to which the Customer has objected, (iii) a Personal Data Breach, or (iv) a documented request from a competent Supervisory Authority.
  3. Video conference and remote system access — where the documentary review and questionnaires are insufficient to address a specific point and the Customer demonstrates a specific, material compliance requirement that cannot otherwise be met, the Parties may agree on a video conference or, where appropriate, a limited remote access session to nocert's back-office or production administration systems. Such sessions are subject to a non-disclosure agreement, to commercially reasonable scheduling, to a maximum of one session per twelve (12) month period per Customer, and to the Customer bearing the costs of such sessions above a reasonable complimentary scope.

No on-site physical audit at nocert premises. The Parties acknowledge that nocert does not host Customer Personal Data on its own physical premises. All production data is hosted by OVHcloud SAS in France, and all administration is carried out remotely. Accordingly, on-site physical audit at nocert premises is not applicable under this DPA, in the absence of physical infrastructure to inspect at those premises. Where a competent Supervisory Authority requires an on-site inspection in the course of an investigation, nocert shall cooperate at the place where the processing actually occurs (the OVHcloud datacentre, under OVHcloud's own audit programme, or nocert's offices for documentary review), within the limits of Applicable Data Protection Law.

Audit of OVHcloud. Where the Customer wishes to audit the physical and infrastructure security of the hosting environment, the Customer may exercise the audit rights granted by OVHcloud SAS to its own customers under OVHcloud's published audit programme, at the Customer's own cost.

Cost. Information requests, documentary review, and one written questionnaire per twelve (12) month period (plus the additional questionnaires triggered by the events listed in the paragraph above) are provided free of charge. A first video-conference session of up to four (4) hours per twelve (12) month period is provided free of charge. Beyond these baselines, nocert may apply reasonable cost-based charges, communicated and agreed in writing in advance, calculated by reference to nocert's then-current consulting rate, which shall not exceed EUR 1,500 (excluding VAT) per consultant-day. No cost is charged for audits triggered by (i) a Personal Data Breach affecting the Customer, (ii) a documented request from a competent Supervisory Authority concerning the Customer, or (iii) a material change to the Service with a material adverse impact on the protection of Personal Data.

Auditor restrictions. Where the Customer engages a third-party auditor, nocert may object to the choice of an auditor that is a direct competitor of nocert or that does not present sufficient guarantees of independence and competence. The Customer shall propose an alternative auditor in such case.

11. Assistance to the Customer

Data subjects' rights (Articles 12 to 22 GDPR). nocert assists the Customer, by appropriate technical and organisational measures and insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights of access, rectification, erasure, restriction, portability, and objection. Where a Data Subject directly contacts nocert with such a request, nocert shall promptly forward the request to the Customer without responding on the merits, except as required by law.

Self-service tools. Where reasonable, nocert provides the Customer with self-service tools in the platform interface and through the API (including data export, deletion of monitoring targets, and audit log access) that allow the Customer to respond to most Data Subject requests autonomously.

DPIA and prior consultation (Articles 35 and 36 GDPR). nocert assists the Customer, taking into account the nature of processing and the information available to nocert, in carrying out Data Protection Impact Assessments and, where applicable, prior consultations with the competent Supervisory Authority. Such assistance is provided in the form of: (a) a description of the processing carried out by the Service; (b) the up-to-date version of Annex II (TOMs); (c) the up-to-date list of Sub-processors and locations of processing.

Compliance assistance (Articles 32 to 36 GDPR). Beyond the specific assistance described above, nocert reasonably cooperates with the Customer in fulfilling the Customer's general compliance obligations under Articles 32 to 36 of the GDPR.

Cost. Assistance reasonably necessary to respond to standard Data Subject requests and to standard DPIA support is provided free of charge. Where the assistance entails extraordinary or repeated work, nocert may apply reasonable cost-based charges, communicated and agreed in advance.

12. Deletion or Return of Personal Data

Customer choice. At the choice of the Customer expressed before the effective date of termination of the Service, nocert shall return Customer Personal Data to the Customer (through the export functionality of the Service) or delete it. In the absence of an express choice, nocert returns the Personal Data through the export functionality and then deletes it in accordance with the regime described below.

Alignment with the Terms — post-termination. The post-termination read-only period, the production deletion timeline, and the backup purge timeline are those defined in Section 16 of the Terms (30-day post-termination read-only; production deletion within 30 days thereafter; backup purge within 90 days from the effective date of termination).

Alignment with the Terms — trial accounts. For Trial accounts that are not converted to a paid Plan, deletion follows the regime defined in Section 4 of the Terms (Read-only Mode from D+14 to D+74; fixed deletion from production systems at D+74 with a reminder email at D+67; backups containing Trial Customer Personal Data purged within ninety (90) days from D+74).

Legal retention obligations. nocert may retain limited Customer Personal Data beyond the deletion timelines solely to the extent necessary to comply with legal retention obligations (in particular accounting and tax obligations under French law). Such retained data is not further processed and is deleted at the end of the applicable retention period.

Certification of deletion. Upon written request by the Customer, nocert provides a written certification of deletion within a reasonable timeframe.

13. Liability, Article 82 GDPR, and Customer Indemnification

Liability between the Parties. The liability of each Party to the other under or in connection with this DPA is governed by the limitation of liability set out in Section 14 of the Terms (twelve (12) months of fees actually paid, subject to the EUR 6,000 minimum floor and the EUR 30,000 absolute cap for Pro and Business Plans, and subject to the carve-outs set out therein). The Faurecia safeguard set out in Section 14 of the Terms applies to liability under this DPA.

Additional carve-out. Without prejudice to the mandatory carve-outs already listed in Section 14 of the Terms, the cap set out therein does not apply to intentional or grossly negligent breaches of this DPA by nocert as Processor (including intentional or grossly negligent breach of nocert's obligations under Articles 28 and 32 of the GDPR), to preserve the effectiveness of Article 28 of the GDPR as an essential obligation of the contract within the meaning of Article 1170 of the French Code civil.

Article 82 GDPR — Data Subject claims. Where a Data Subject brings a claim under Article 82 of the GDPR against the Customer or against nocert:

  • as between the Parties, each Party bears the share of liability corresponding to the part attributable to its own infringement of the GDPR, in accordance with Article 82(5) of the GDPR;
  • nothing in this DPA limits the liability of either Party towards Data Subjects under Article 82 of the GDPR; such liability cannot be capped by contract.

Administrative fines (Article 83 GDPR). Each Party bears the administrative fines imposed on it by a Supervisory Authority under Article 83 of the GDPR for its own infringements. nocert is not liable for administrative fines imposed on the Customer where the infringement results from the Customer's own decisions, configuration, or instructions.

Customer indemnification — Sentinel and Customer-controlled infrastructure. Where a Data Subject claim under Article 82 of the GDPR against nocert arises wholly or partly from:

  • the Customer's breach of the scanning authorisation warranty or of the sanctions / dual-use / cryptographic export-control warranties (Section 9 of the Terms);
  • the Customer's breach of the Sentinel deployment, host security, or scan-scope responsibilities set out in Annex IV.E;
  • the deployment or use of a modified or forked Sentinel in breach of Annex IV.F;

the Customer shall indemnify nocert under Section 14 of the Terms for the portion attributable to the Customer. Defence-control mechanics follow Section 14 of the Terms.

14. Compliance Scoring Disclaimer

The Parties recall that compliance scores, alignment indicators, and reports produced by the Service (including in relation to PCI-DSS, ISO 27001, NIS2, ANSSI, or other frameworks) are informational and do not constitute legal advice, regulatory certification, audit opinion, or guarantee of compliance, as set out in Section 8 of the Terms. The Customer remains the sole and exclusive Controller for the purpose of any regulatory compliance determination, including in respect of Personal Data.

Accuracy principle (Article 5(1)(d) GDPR). Where a compliance scoring output contains Personal Data relating to a Data Subject (for example, a natural person identified as responsible for a non-compliant asset), the Customer, as Controller, remains responsible for ensuring the accuracy of that Personal Data and may use the rectification mechanisms described in Section 11. nocert does not warrant the accuracy of compliance scoring outputs beyond the best-effort operation of the scoring engine.

15. Term, Precedence, Order of Conflict, and Survival

Term. This DPA enters into force on the Effective Date and remains in force for as long as nocert processes Customer Personal Data on behalf of the Customer.

Survival. The following Sections survive termination of the contract, in proportion to their nature and for the periods specified or reasonably necessary to fulfil their purpose: Section 5 (Confidentiality of personnel); Section 7 (Personal Data Breach, in respect of Breaches occurring before termination or discovered thereafter); Section 11 (Assistance, for Data Subject requests or Supervisory Authority interactions filed before or shortly after termination); Section 12 (Deletion); Section 13 (Liability, Article 82 GDPR, and Customer indemnification); and Section 14 (Compliance scoring disclaimer).

Order of precedence. In the event of conflict on a matter relating to Personal Data:

  1. the EU SCCs (Annex V) prevail over this DPA;
  2. this DPA prevails over the Terms;
  3. the Terms prevail over any other documentation.

For all other matters, the order of precedence set out in the Terms applies.

16. Governing Law, Jurisdiction, Limitation Period, and Language

This DPA is governed by French law. Disputes arising from or in connection with this DPA are submitted to the same jurisdiction as set out in Section 18 of the Terms.

Contractual limitation period. Without prejudice to claims arising under Article 82 GDPR (which remain subject to the applicable statutory periods of limitation) and to claims falling within Article 1648 of the French Code civil, any action arising out of or in connection with this DPA must be brought within twelve (12) months from the date on which the Party bringing the action knew or ought to have known of the facts giving rise to the claim, in accordance with Article 2254 of the French Code civil. This Section is the express agreement of the Parties to reduce the period set out in Article 2224 of the Code civil, consistent with the equivalent clause in Section 20 of the Terms.

Language. This DPA has been drafted in English and the English version is the only legally binding version. Any translation that nocert may provide for convenience does not have legal effect; in case of discrepancy, the English version prevails. The Customer expressly acknowledges that, as a professional, it has the linguistic capacity to read and understand this DPA in English, and agrees that English is the working language of the contract. The use of English is agreed between professionals in accordance with the circulaire du 19 mars 1996 on the application of loi n° 94-665 du 4 août 1994.

Annex I — Description of Processing

A. Parties

  • Data Exporter (Controller): the Customer, as identified in the Customer account.
  • Data Importer (Processor): Perspective Analytics SAS, 2 rue du Général de Gaulle, 44290 Guémené-Penfao, France.
  • Data Importer's privacy contact: [email protected].

B. Description of the Processing

Item Description
Subject matter Provision of the nocert.io TLS certificate monitoring Service, including discovery, monitoring, alerting, compliance scoring, audit logging, and operation of the Sentinel agent on Customer premises.
Nature of the processing Collection, storage, organisation, structuring, retrieval, consultation, transmission, alignment, retention, restriction, erasure. No processing falling within Article 22 GDPR (automated individual decision-making, including profiling).
Purpose of the processing Sole purpose of providing the Service to the Customer in accordance with the Terms and the Customer's documented instructions.
Categories of Data Subjects Customer's employees, contractors, and other authorised users having an account on the Service (including via SSO); natural persons whose names appear in certificate metadata, hostnames, or audit logs collected by the Service or the Sentinel agent (e.g. john.doe-laptop.corp.local).
Categories of Personal Data and retention (i) Account data (name, professional email address, role, hashed password, encrypted MFA secret) — retained for the duration of the account, subject to the deletion regime in Section 12. (ii) Authentication and audit data (login events, IP addresses, user-agent, actions performed in the platform) — retained 6 to 12 months depending on the Plan, subject to the deletion regime in Section 12. (iii) Infrastructure data containing or potentially containing Personal Data (hostnames, internal IP addresses, certificate metadata, network topology elements collected by the Sentinel) — retained while the associated monitoring target is active; deleted on removal or on termination under Section 12. (iv) Communication data (support correspondence) — retained for the duration of the commercial relationship and for three (3) years thereafter for customer relationship management purposes.
Special Categories of Personal Data None expected. The Service is not designed to process Special Categories. The Customer is responsible for ensuring it does not submit such data to the Service.
Frequency of the processing Continuous, for the duration of the contract.
Duration of the processing For the duration of the contract, plus the post-termination read-only period and the deletion timelines set out in Section 12.
Transfers Hosted in the EEA (OVHcloud, France). Limited transfers to Sub-processors outside the EEA as described in Section 9 and Annex III.
Recipients nocert authorised personnel; Sub-processors listed in Annex III.

C. Competent Supervisory Authority

  • Commission Nationale de l'Informatique et des Libertés (CNIL)
  • 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07, France
  • Telephone: +33 (0)1 53 73 22 22 — Website: https://www.cnil.fr

Annex II — Technical and Organisational Measures (TOMs) and Verifiability Measures

The current state of technical and organisational measures implemented by nocert is described below. nocert may update these measures over time to reflect technical evolution and the state of the art, provided that the level of protection is not materially diminished. Indicative descriptive context is also published at nocert.io/security.

A. Pseudonymisation and encryption (Article 32(1)(a) GDPR)

  • TLS 1.2 minimum enforced on all connections in transit; TLS 1.3 preferred where supported by the client.
  • AES-256-GCM encryption for sensitive fields at the application layer (MFA secrets, API tokens).
  • Argon2id password hashing with OWASP-recommended parameters.
  • Communication between Sentinels and the Service secured by RFC 9421 HTTP Message Signatures.

B. Confidentiality, integrity, availability, and resilience of processing systems and services (Article 32(1)(b) GDPR)

  • Role-based access control with the principle of least privilege.
  • Multi-factor authentication required for nocert administrative access.
  • Session-based authentication for users with HttpOnly, Secure, SameSite=Strict cookies.
  • Logical isolation of Customers in a multi-tenant architecture, enforced at the database and application layers.
  • Cloudflare WAF and DDoS mitigation at the edge.
  • Centralised log retention enabling detection of and response to anomalies.

C. Restoration of availability and access to Personal Data in a timely manner in the event of a physical or technical incident (Article 32(1)(c) GDPR)

  • Encrypted backups with regular restoration testing.
  • Documented incident response procedure.
  • Disaster recovery posture aligned with the OVHcloud hosting environment.

D. Process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures (Article 32(1)(d) GDPR)

  • Internal security testing throughout the development and release cycle.
  • Independent third-party security assessments performed on a frequency aligned with nocert's resources, with summary results made available to Customers under non-disclosure agreement where they exist.
  • Periodic review of access permissions and of the up-to-date list of Sub-processors.

E. Personnel measures

  • Confidentiality commitments imposed on all persons authorised to process Customer Personal Data.
  • Training on data protection and on internal security policies.
  • Access revocation without undue delay, and within a commercially reasonable period for access to production systems containing Customer Personal Data, following termination of the relationship or cessation of the need to access Customer Personal Data.

F. Sentinel agent — software supply-chain measures

  • Cryptographic signature on each Sentinel release binary.
  • Software Bill of Materials (SBOM) published with each release in a standard format (CycloneDX or SPDX).
  • Vulnerability advisories published on a dedicated security page or mailing list.
  • Patches addressing identified vulnerabilities issued in reasonable time, prioritised by severity.

G. Verifiability measures (beyond Article 32 TOMs)

  • Source code of the Sentinel is distributed under the GNU Affero General Public License version 3 (AGPL-3.0). Customers on a paid Plan may download a complete source archive for each Sentinel release directly from the Service's authenticated web interface, together with the release binary. This allows the Customer, or an independent auditor engaged by the Customer, to inspect the processing code.

H. Sub-processor management

  • Public list at nocert.io/dpa/subprocessors with version history.
  • Back-to-back data protection obligations imposed contractually on each Sub-processor.

Annex III — List of Sub-processors

The list below reflects the sub-processors authorised at the Effective Date of this DPA. The current version, with version history, is maintained at nocert.io/dpa/subprocessors. Where a Sub-processor itself engages further sub-processors with access to Customer Personal Data, the list maintained by that Sub-processor is made available to the Customer on reasonable written request, as provided in Section 8.

Hosting and edge infrastructure

Sub-processor Role Location Transfer mechanism
OVHcloud SAS (France) Cloud hosting of the Service and Customer Personal Data France (EEA) None (EEA)
Cloudflare, Inc. (USA) and Cloudflare Ireland Limited (Ireland) Edge delivery, WAF, DDoS protection (does not store application data) EEA edge with US headquarters EU SCCs Module 3 + DPF

Payment and invoicing

Sub-processor Role Location Transfer mechanism
Stripe Payments Europe Ltd. (Ireland) and Stripe, Inc. (USA) Payment processing Ireland (EEA) and USA EU SCCs Module 2 + DPF
Tiime SAS (France) E-invoicing — Plateforme Agréée officially certified by DGFiP France (EEA) None (EEA)

Email infrastructure

Sub-processor Role Location Transfer mechanism
Google LLC / Google Ireland Limited — Google Workspace Business email — inbound and outbound correspondence (e.g. [email protected], [email protected]), including support correspondence from Customers Ireland (EEA) with US infrastructure EU SCCs Module 3 + DPF
Mailgun Technologies, Inc. / Sinch Transactional outbound email delivery (alerts, notifications, operational emails) EU region (api.eu.mailgun.net) EU SCCs Module 3 + DPF
Amazon Web Services EMEA SARL / Amazon Web Services, Inc. — Amazon SES Transactional outbound email delivery (fallback / additional channel) EU region (eu-west-1 / eu-central-1) EU SCCs Module 3 + DPF

Annex IV — Sentinel Agent Processing Description

The Sentinel agent is open-source software distributed by nocert under the GNU Affero General Public License version 3 (AGPL-3.0), deployable by the Customer on its own infrastructure. The Sentinel is part of the Service and its operation is part of nocert's processing activity as Processor.

A. Deployment

  • Deployed by the Customer on the Customer's own infrastructure, on hosts and in network locations chosen by the Customer.
  • Single statically-linked binary, no runtime dependencies.
  • Runs unprivileged: no root access required; minimal system permissions.
  • Customer may stop, disable, or uninstall the Sentinel at any time.

B. Data collected by the Sentinel

  • TLS certificates discovered through scanning of the network ranges and ports configured by the Customer (subject metadata, SANs, issuer, validity, key types, cipher suites).
  • Hostnames and IP addresses of hosts on which a TLS certificate is detected.
  • Network topology elements implied by the scan (e.g. the existence of a host at a given IP/port).
  • Sentinel operational telemetry (version, uptime, scan statistics, errors).

The Sentinel does not collect: file contents, process listings, host shell access, credentials, or non-TLS-related network traffic.

C. Communication

  • All communication is outbound only from the Sentinel to the Service.
  • All requests are signed using RFC 9421 HTTP Message Signatures, ensuring integrity and authenticity.
  • No inbound connection from the Service to the Sentinel; no remote shell, no remote execution capability.
  • The Sentinel communicates exclusively with nocert's API endpoint; it does not communicate with any other third party.

D. Integrity and updates

  • Sentinel release binaries are cryptographically signed; the Customer should verify the signature before deployment.
  • Each release is accompanied by a Software Bill of Materials (SBOM) in a standard format (CycloneDX or SPDX).
  • Source code and signed binary for each release are made available to the Customer through the Service's authenticated web interface, in accordance with the AGPL-3.0 licence (see Annex II.G).
  • The Customer is responsible for deciding when to apply Sentinel updates.

E. Allocation of responsibility

Responsibility Customer nocert
Choice of deployment location and host hardening
Network access control to the Sentinel host
Definition of the scan scope (subnets, ports)
Decision on Sentinel updates
Signed release binaries and SBOM
Source-code availability under AGPL-3.0
Vulnerability advisories and best-effort patching
Integrity of the telemetry channel (RFC 9421)

F. Modified or forked Sentinels

The Customer is free, under the AGPL-3.0, to modify or fork the Sentinel. nocert undertakes to process telemetry only insofar as it conforms to the documented protocol. nocert is not liable for the consequences of running a modified Sentinel, a fork, or any build produced from sources other than the official nocert releases, where such version produces invalid, missing, or unexpected data, or where it introduces security vulnerabilities that are not present in the official release.

Annex V — EU Standard Contractual Clauses

The Standard Contractual Clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "EU SCCs") are incorporated by reference into this DPA, without modification of the EU SCCs themselves, in the following modules:

  • Module 2 (Controller to Processor) — for transfers in which the Customer acts as Controller and a Sub-processor outside the EEA acts as Processor under nocert's onward transfer;
  • Module 3 (Processor to Sub-processor) — for transfers in which nocert acts as Processor and a Sub-processor outside the EEA acts as a further Sub-processor.

For each applicable module, the following completion is deemed to apply:

  • Clause 7 (Docking clause): not applicable in the standard configuration.
  • Clause 9 (Use of sub-processors): Option 2 (general written authorisation), with the 30-day notice and objection mechanism set out in Section 8 of this DPA.
  • Clause 11 (Redress): the optional independent dispute resolution body is not elected.
  • Clause 17 (Governing law): French law.
  • Clause 18 (Choice of forum and jurisdiction): the courts of Saint-Nazaire, France. Without prejudice to Clause 18(c) of the EU SCCs, under which Data Subjects may bring proceedings against the Data Exporter or the Data Importer before the courts of the Member State in which they have their habitual residence.
  • Annex I.A (List of Parties): as set out in Annex I.A above.
  • Annex I.B (Description of the transfer): as set out in Annex I.B above.
  • Annex I.C (Competent supervisory authority): as set out in Annex I.C above (CNIL).
  • Annex II (Technical and organisational measures): as set out in Annex II above.
  • Annex III (List of sub-processors): as set out in Annex III above.

The UK Addendum to the EU SCCs issued by the UK Information Commissioner's Office is deemed incorporated by reference for transfers concerning UK Data Subjects. The Parties are deemed to have signed the UK Addendum at the same time as accepting this DPA.

On this page