Data Processing Addendum (DPA)

Controller: the Customer subscribing to the Service. Processor: Continuum Identity SAS, 200 rue de la Croix Nivert, 75015 Paris, France.

Subject matter: provision of the Continuum Business SaaS. The Processor processes personal data on behalf of the Controller for the duration of the Subscription, plus a transition period of 30 days for export.

The Processor processes Personal Data only on the documented instructions of the Controller, including instructions provided through the Service's standard configuration. Any processing required by EU or Member State law is notified to the Controller before being performed, unless prohibited.

Persons authorised to process Personal Data are bound by confidentiality obligations (employment contract or separate NDA). Access is granted on a need-to-know basis with just-in-time elevation.

The Processor implements technical and organisational measures appropriate to the risk: • Encryption: TLS 1.3 in transit, AES-256 at rest, encrypted backups. • Access control: RBAC with hierarchies, optional 2FA, audit log. • Tenant isolation: PostgreSQL row-level security. • Backups: daily, encrypted, 30-day retention. • Vulnerability management: Dependabot, dependency scanning, annual pen-test (planned 2027). • Incident response: documented playbook, on-call rotation. Detailed measures at /security.

The Controller authorises the Processor to engage the sub-processors listed at /sovereignty. The Processor notifies the Controller of any new sub-processor 30 days before engagement, allowing the Controller to object on reasonable grounds.

By default, Personal Data is hosted in Switzerland. Sub-processors operating from outside Switzerland or the EU are bound by Standard Contractual Clauses (SCC, 2021/914) and, where applicable, the EU-US Data Privacy Framework. Customers may request EU-only or France-only data residency on Enterprise tiers.

The Processor assists the Controller in fulfilling data subject rights (access, rectification, erasure, restriction, portability, objection) by providing self-service export and deletion tools, and by responding to direct requests within 5 working days.

The Processor notifies the Controller without undue delay (within 24 hours of confirmation) of any Personal Data Breach, providing all information required under Article 33(3) GDPR to assist the Controller's reporting obligations.

The Controller may audit the Processor's compliance once per year on reasonable notice. The Processor provides standardised documentation (CAIQ questionnaire, pen-test summaries, ISO 27001 certificate when available — target Q4 2026) to satisfy most audit requests without on-site visits.

On termination of the Subscription, the Processor provides full data export in standard formats (CSV, JSON, PDF) for 30 days. Data is then deleted from production systems within 30 days and from backups within 90 days, except where retention is required by law.

Liability under this DPA is governed by the corresponding clause of the Terms of Service, except where mandatory law (e.g. GDPR penalties) imposes otherwise.