This document constitutes the Data Processing Agreement ("DPA") under Article 28 GDPR between the Client (controller) and Freelance OS (processor), for the Personal Data processed under the service contract.
By subscribing to paid Freelance OS services, the Client accepts this DPA. An individually signed version is available on request at contact@freelance-os.fr.
1. Definitions
"Personal Data", "Data Subject", "Controller", "Processor", "Personal Data Breach" have the meanings given by GDPR.
2. Parties
- Controller: the Client identified in the service contract or invoice.
- Processor: MEIZ (EURL) (RCS Paris 854 034 683), publisher of Freelance OS, represented by Jean Saunie, contact@freelance-os.fr.
3. Subject matter
Freelance OS processes Personal Data on behalf of the Client to deliver the Kernel SaaS and member app, in accordance with the Client's documented instructions (workspace configuration, integration setup, content entered).
4. Duration
This DPA applies for the duration of the service contract. Certain obligations (confidentiality, deletion, audit) survive termination.
5. Nature, purposes and categories
| Aspect | Description |
|---|---|
| Nature of processing | Hosting, storage, transmission, content generation, analysis, orchestration of third-party APIs (ad platforms, OAuth providers) |
| Purposes | Provide services under the contract (Studio, Counsel, CRM, Workbench, Ads, etc.) |
| Data categories | Account identifiers, user content, billing data, invitee data, encrypted OAuth tokens, technical data, ad campaign data (configuration and aggregated metrics), advertising audiences, conversion events (CAPI), leads collected via Lead Ads |
| Categories of data subjects | Workspace members, Client prospects and customers, booking invitees, individuals targeted by or having interacted with ad campaigns managed via the Service |
6. Freelance OS obligations
Documented instructions
Freelance OS processes Personal Data only on the Client's documented instructions. Any instruction contrary to law will be flagged immediately.
Confidentiality
Persons authorized to process Personal Data are bound by contractual or statutory confidentiality.
Security
Freelance OS implements the Technical and Organizational Measures described in Annex TOMs (below).
Onward sub-processing
Freelance OS engages the sub-processors listed at /en/subprocessors. The Client grants general authorization for these existing sub-processors. Any substantial change will be notified 30 days in advance, with a 14-day Client objection right (with penalty-free termination).
Assistance
Freelance OS assists the Client, to the extent possible, in responding to data subject requests (access, rectification, erasure, portability), conducting DPIAs and consulting supervisory authorities if necessary.
Breach notification
In case of a Personal Data Breach affecting the Client, Freelance OS notifies the Client without undue delay, and at the latest within 72 hours of awareness, by email to the account's contact address. The notification describes the breach nature, the categories and approximate volume of data subjects, likely consequences and measures taken.
End of contract
At the end of the contract, at the Client's option, Freelance OS deletes or returns Personal Data within 30 days, except where retention is legally required (notably Counsel, 10 years).
Audit
Freelance OS makes available to the Client the information necessary to demonstrate compliance with this DPA. On reasonable request and 30-day notice, the Client (or an independent third-party auditor under NDA) may conduct an audit, at the Client's expense, except in case of urgency or substantiated suspicion of non-compliance.
7. Non-EU transfers
Transfers to sub-processors outside the EU are made under Standard Contractual Clauses (Commission decision 2021/914), Module 3 (sub-processor to onward sub-processor) where applicable, complemented by the supplementary measures described in Annex TOMs.
8. Liability
Freelance OS's liability under this DPA is governed by the liability terms of the main service contract.
9. Applicable law
French law. Competent courts: Paris.
Annex TOMs: Technical and Organizational Measures
Technical measures
- In transit encryption: TLS 1.3 on all public endpoints.
- At-rest encryption: AES-256 for Supabase database and object storage, AES-256-GCM for workspace secrets.
- Tenant isolation: Postgres Row Level Security (RLS) on 76+ tables. Every query is filtered by
workspace_idand user membership. - Authentication: TOTP MFA available, Supabase Auth sessions, refresh token rotation.
- Audit logs: sensitive operations are logged (auth, super_admin, RLS changes).
- Backups: daily Supabase backups, 7-day point-in-time recovery.
- Network security: no direct database exposure, access only via Supabase API and authenticated serverless functions.
Organizational measures
- Least privilege: access to Personal Data strictly limited to authorized persons.
- Confidentiality: contractual confidentiality undertaking for every collaborator or contractor.
- Incident policy: documented procedure for detection, qualification and notification of Personal Data Breaches.
- Periodic review: annual review of sub-processors, access and audit logs.
- Secure deletion: logical then physical purge at end of contract or on request, except legal retention.