Effective date: 23 October 2025

Last updated: 23 October 2025

Download or access the document at any time here.

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the master Service Agreement, Statement(s) of Work, order form(s), proposal(s), or any other contract between the parties that references this DPA (collectively, the “Agreement”).

This DPA becomes legally binding upon the Client once the Service Agreement is signed and payment has been received by NoFurther Systems SAS.

PARTIES

Client (Controller): Full legal name, jurisdiction and registration no. with registered address found on the Agreement documents (“Client” or “Controller”).
NoFurther Systems SAS (Processor): a société par actions simplifiée registered in France (SIREN 989 403 449), registered address: 60 Rue François 1er, Paris, France, email: [email protected] (“NoFurther” or “Processor”).

Each a “Party”, together the “Parties.”

1. DEFINITIONS

Unless defined otherwise herein, capitalized terms have the meaning given in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

- Applicable Data Protection Law: all laws and regulations concerning data protection and privacy, including the GDPR, UK GDPR and Data Protection Act 2018, the Swiss FADP, the ePrivacy Directive, and the CCPA/CPRA where applicable.

- Business Day: any day other than a Saturday, Sunday, or public holiday in Paris, France.

- Client Systems: any systems, accounts, or platforms owned or controlled by the Client, including Google Ads, Meta Business Manager, LinkedIn Campaign Manager, TikTok Ads, Google Analytics, GoHighLevel/LeadConnector, Twilio/WhatsApp, Stripe, Wistia/Vimeo, calendars, CMS/hosting, or domain registrars.

- Personal Data: any information relating to an identified or identifiable natural person that is processed by NoFurther on behalf of the Client.

- Restricted Transfer: a transfer of Personal Data from the EEA/UK/Switzerland to a third country not deemed adequate under applicable law.

- Security Incident: any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

- “Client” means the person or entity identified in the Service Agreement only once both of the following have occurred:
(a) the Service Agreement (including any Order, SOW, or proposal that incorporates it) has been duly signed or accepted by the person or entity (including via electronic acceptance workflow); and
(b) NoFurther Systems SAS has received the first payment due under that Agreement (including via card, bank transfer, Stripe, or other approved method).
Until both (a) and (b) are completed, the person or entity is a prospective client and NoFurther has no obligation to perform the Services.

- “Effective Date” means the date on which both (i) the Agreement is signed/accepted by the Client and (ii) the first payment is received by NoFurther. The Effective Date is a condition precedent to NoFurther’s performance.

2. ROLES AND NATURE OF PROCESSING

2.1 Roles. Client acts as Controller; NoFurther acts as Processor regarding all Personal Data processed under the Agreement.

2.2 Independent Controller Activities. NoFurther may act as an independent Controller for internal business operations such as billing, security, and compliance — governed separately by NoFurther’s Privacy Policy.

2.3 Instructions. NoFurther processes Personal Data only on documented instructions from the Client, including transfers to third countries, unless legally required otherwise.

2.4 Scope of Processing. The scope, nature, purpose, categories, and duration of processing are detailed in Annex I.

3. ACCESS TO CLIENT SYSTEMS; AGENCY ACCESS; LEAST PRIVILEGE

3.1 Grant of Access. Client may grant NoFurther access through user accounts, role-based permissions, SSO, API keys, or agency access links for third-party platforms (Google, Meta, LinkedIn, TikTok, GoHighLevel, Twilio, Stripe, etc.), solely for service execution.

3.2 Use Restrictions. NoFurther will access Client Systems only as necessary, apply least-privilege principles, not modify billing or ownership settings, and comply with platform terms.

3.3 Emergency Access. In emergencies (e.g., ad account suspension, security threat), NoFurther may take proportionate actions within authorized scope and will inform the Client promptly.

3.4 Access Logs. NoFurther maintains logs of administrative access where feasible.
Upon written request, NoFurther shall provide an access log within 40 Business Days, excluding other clients’ data and platform-restricted details.

4. CONFIDENTIALITY AND PERSONNEL

NoFurther ensures all personnel accessing Personal Data are bound by confidentiality, trained in data protection, and only authorized if necessary for service delivery.
Background checks may be performed where appropriate.

5. SECURITY OF PROCESSING

NoFurther implements and maintains industry-standard technical and organizational measures (TOMs) described in Annex II, including:

- Encryption (TLS 1.2+ in transit, AES-256 at rest);

- Multi-factor authentication (MFA) for privileged accounts;

- Data segregation per client;

- Business continuity and disaster recovery plans.

6. PERSONAL DATA BREACH RESPONSE

In case of a Security Incident, NoFurther shall notify the Client without undue delay (within 72 hours), including known details and mitigation steps.
NoFurther will cooperate fully and take all reasonable steps to contain and remedy the breach.

7. DATA SUBJECT RIGHTS AND DPIAs

NoFurther assists the Client in handling data subject requests (access, rectification, deletion, portability, etc.) and performing Data Protection Impact Assessments (DPIAs) when required.
NoFurther will not respond directly to individuals unless legally required.

8. SUB-PROCESSORS

8.1 Authorization. Client authorizes NoFurther to use Sub-Processors (see Annex III) for services such as cloud hosting, CRM, messaging, analytics, and AI automation.

8.2 Obligations. All Sub-Processors are bound by contracts offering equal or higher protection than this DPA.

8.3 Notification. NoFurther will give 10 Business Days’ notice before adding or replacing a Sub-Processor.
Clients may object on reasonable data protection grounds. If unresolved within 30 days, Client may terminate the affected service portion with a pro-rata refund.

9. INTERNATIONAL TRANSFERS

Transfers of Personal Data outside the EEA/UK/Switzerland will rely on:

- Adequacy decisions, or

- EU Standard Contractual Clauses (2021/914) (Modules 2 and 3),

- UK International Data Transfer Addendum, or

Swiss Addendum.

These clauses are incorporated by reference and deemed executed between the Parties.

10. RETENTION, RETURN, AND DELETION

NoFurther retains Personal Data only as long as necessary.
Upon termination or Client request, NoFurther shall return or securely delete all Personal Data within 30 days, unless legally required to retain it, and may certify deletion upon request.

11. AUDIT AND COMPLIANCE

NoFurther maintains records of processing activities and will provide reasonable information for compliance verification.

Clients may conduct audits:

With 30 days’ prior notice,

- Once per 12 months,

- During business hours,

- Without disrupting operations.

Clients bear their own audit costs.

12. CCPA/CPRA (CALIFORNIA)

Where applicable, NoFurther acts as a Service Provider under the CPRA and:

Will not sell, share, or use Personal Information for other purposes;

Will not combine Client data with data from other sources, except as permitted by law;

Will inform the Client if it can no longer meet its obligations.

13. CLIENT RESPONSIBILITIES

The Client is responsible for:

- Having a lawful basis and proper consent;

- Providing transparent privacy notices;

- Ensuring data accuracy;

- Securing its own credentials and environments;

- Avoiding transmission of sensitive or children’s data without written agreement.

14. LIABILITY AND INDEMNITY

Each Party is liable for its own violations of this DPA or applicable law, subject to the limitations of liability in the Service Agreement.

15. MISCELLANEOUS

Conflicts: This DPA prevails over conflicting terms in the Agreement on data protection matters.

Amendments: Updates require written agreement, except Sub-Processor changes per Section 8.

Severability: Invalid provisions do not affect the remaining clauses.

Governing Law: The governing law and jurisdiction are those defined in the Service Agreement.

Priority: In cross-border cases, the Standard Contractual Clauses prevail where applicable.

16. CONTACTS

Client Privacy Contact: CARL SOUHAIT
NoFurther Systems SAS Privacy Contact: [email protected],

60 RUE FRANÇOIS 1ER, 75008 PARIS FRANCE

ANNEX I — DESCRIPTION OF PROCESSING

Data Exporter (Controller): Client
Data Importer (Processor): NoFurther Systems SAS

Subject Matter: Provision of AI-powered client acquisition, lead management, CRM orchestration, and analytics services.
Duration: Term of Agreement + 30 days for offboarding or legal retention.
Nature and Purpose: Collecting, storing, analyzing, and managing customer and lead data to perform agreed marketing and automation services.

Categories of Data Subjects:

-Leads and prospects;

- Customers;

- Client staff and users;

- Other individuals connected to the Client’s operations.

Personal Data Types:

- Names, emails, phone numbers, job titles, IP addresses, cookies, session data, chat logs, appointment times, CRM fields, payment metadata (non-PCI), analytics data.

Special categories and minors’ data are not intended and must be pre-approved in writing.

Transfers: Continuous, as required to perform the Services.
Supervisory Authority: CNIL (France), unless otherwise agreed.

ANNEX II — TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

Governance: Privacy/security lead; employee NDAs; annual training.

Access Control: Least privilege, MFA, periodic review, credential vaulting.

Encryption: TLS 1.2+ in transit, AES-256 at rest.

Network Security: Firewalls, patch management, vulnerability scanning.

Application Security: Code reviews, pen testing, dependency management.

Data Management: Regular backups, pseudonymization, retention control.

Monitoring & Response: Centralized logging, incident procedures, 12-month log retention.

Vendor Management: Due diligence, contractual safeguards, periodic reassessment.

Client-Specific Options: IP allowlisting, custom audit reports, DLP, masking.

Privacy by Design: Default minimization and segregation of data.

ANNEX III — SUB-PROCESSORS

Hosting: AWS, GCP, or Azure

CRM: GoHighLevel / LeadConnector

Messaging: Twilio (including WhatsApp)

Payments (metadata only): Stripe

Advertising Platforms: Google, Meta, LinkedIn, TikTok

Analytics/Video: Wistia, Vimeo, Google Analytics

Collaboration: Slack, Notion, Google Workspace

AI Providers: OpenAI, Anthropic, or similar

A detailed registry (with processing location and safeguards) is maintained internally and provided upon request.

ANNEX IV — ACCESS TO CLIENT SYSTEMS

Client may grant access via partner or API credentials.

NoFurther will not alter billing, ownership, or export full data without authorization.

All significant account changes will be logged or annotated.

Website updates occur in staging where available, with backups kept.

Credentials are deleted or returned at the end of the engagement.

ANNEX V — STANDARD CONTRACTUAL CLAUSES

The EU Standard Contractual Clauses (2021/914) apply by incorporation:

Module 2 (Controller→Processor) and Module 3 (Processor→Sub-Processor).

Clause 9(a): General authorization, 10-day notice.

Clause 17: Governing law of France.

Clause 18: Jurisdiction in Paris, France.

Annexes I–III complete the SCC Appendices.

UK and Swiss Addenda apply where relevant.

EXECUTION

This DPA becomes binding upon:

The Client’s signature of the Service Agreement, and

The Client’s initial payment to NoFurther Systems SAS.