Aller au contenu
wheremyflow
Connexion Démarrer gratuitement
Fonctionnalités Tarifs Comparatif Manifeste Aide Audit Contact Démo Connexion

wheremyflow — Data Processing Agreement (DPA)

GDPR Article 28 — Processing for audience measurement of [client-site]

Last update: 8 May 2026.

Pre-filled template downloadable from the Compliance tab of the dashboard. The generated document automatically inserts the client-site domain.

Between the undersigned

The Controller

[To be filled by the client: company name, legal form, registered office] [To be filled by the client: registration number] [To be filled by the client: represented by (name, position)]

Hereinafter referred to as "the Controller".

The Processor

| | | | ------------------------- | --------------------------------------- | | Company name | Frédéric GAVEAU EI (wheremyflow) | | Registered office | 6 rue du Chateau, 12190 Estaing, France | | Provider point of contact | contact@wheremyflow.com | | DPO | dpo@wheremyflow.com |

Hereinafter referred to as "the Processor".

Article 1 — Purpose

This agreement defines the conditions under which the Processor undertakes to carry out, on behalf of the Controller, processing operations of personal data related to audience measurement of the website [client-site].

Article 2 — Duration

This agreement takes effect on the date of its signature by both parties, for an indefinite duration. It may be terminated by either party with 30 days' notice given by registered letter with acknowledgment of receipt.

Article 3 — Description of processing

| | | | ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Nature of processing | Collection of audience measurement events, anonymization, aggregation, restitution as k-anonymous statistics under a graduated policy: exact global counters (no dimension), k=2 on URLs and events, k=5 on demographic categories (country/browser/OS/language/devices), k=10 on city and ≥3 dimension cross-tabulations. | | Purpose | Audience measurement of [client-site] under the consent exemption set out in the CNIL framework of 4 July 2025. | | Legal bases | Article 82 LIL (ePrivacy exemption); Article 6(1)(f) GDPR (legitimate interest). | | Categories of data subjects | Visitors of [client-site]. | | Types of data | Non-reversible HMAC-SHA256 visitor hash; page path (without query-string); referrer hostname; country/region/city (per configuration); browser family; OS; screen resolution bucket; language; session duration; scroll depth; whitelisted events (pageview, download, search, outbound, 404, 500). No IP address, no User-Agent, no full URL is stored. |

Scope of additional metrics (Netherlands AP clarification — Telecomwet art. 11.7a)

Session duration, scroll depth and whitelisted event metrics are collected solely to measure editorial performance and content usefulness for the Controller. They are never used to profile visitors nor to target advertising, and cannot be cross-referenced with third-party databases. As no name-based data nor IP address is stored, no individual identification is technically possible. This scope is explicitly documented to address the Autoriteit Persoonsgegevens (Netherlands) doctrine on the application of article 11.7a Telecomwet to audience measurement.

Article 4 — Processor obligations

In accordance with GDPR Article 28, the Processor:

  • Processes data only on documented instructions from the Controller.
  • Does not use the data for any purpose other than those defined in Article 3, and does not reuse them for its own account (service improvement, fraud prevention, model training, etc.).
  • Ensures that persons authorized to process the data are subject to a confidentiality obligation.
  • Implements all appropriate technical and organizational measures within the meaning of GDPR Article 32 (see Article 7 below).
  • Engages further sub-processors only under the conditions defined in Article 5.
  • Assists the Controller in fulfilling its obligation to respond to requests for the exercise of data subject rights.
  • Assists the Controller, taking into account the nature of the processing and the information at its disposal, in complying with the obligations set out in GDPR Articles 32 to 36 (security, breach notification, impact assessments, prior consultation).
  • Notifies the Controller of any data breach under the conditions set out in Article 8.
  • At the end of the service, deletes or returns all data at the Controller's choice (see Article 9).
  • Makes available to the Controller all information necessary to demonstrate compliance with GDPR Article 28.
  • Allows audits, including inspections, by the Controller or a third party mandated by it.

_Source: GDPR Article 28(3), points (a) to (h)._

Article 5 — Sub-processing

The Processor is authorized, by way of general written authorization, to engage the sub-processors listed below. In accordance with GDPR Article 28(2), the Processor informs the Controller of any planned change (addition or replacement of a sub-processor) with at least 30 days' notice, allowing the Controller to issue reasoned objections to such changes. In case of reasoned objection, the parties shall endeavor in good faith to find a solution; failing which the Controller may terminate the agreement without notice or compensation.

As of the signature date, the sub-processors are:

| Sub-processor | Role | Location | Certifications | | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- | | Clever Cloud SAS | Infrastructure hosting (app, PostgreSQL, blob) | Headquarters: 4 rue Voltaire, 44000 Nantes — datacenters in France (Paris and Roubaix regions) | ISO/IEC 27001:2022 (FR086307, 15 March 2024); HDS; ISO 9001 | | Eris Networks SAS (DB-IP) | IP geolocation database | 62 boulevard Jean Mermoz, 22700 Perros-Guirec, France | — | | Scaleway SAS | RGPD audit scan execution via Serverless Jobs (only the free public audit page /audit — outside client audience measurement flow) | Headquarters: 8 rue de la Ville l'Évêque, 75008 Paris — datacenters in France (Paris DC2/DC3/DC5) and Netherlands (Amsterdam) | ISO/IEC 27001; ISO/IEC 27017/27018; HDS; SecNumCloud (dedicated offers) |

Scaleway scope: triggered only when the Controller uses the free RGPD audit feature /audit offered by the Processor as a discovery tool. NOT involved in the standard audience measurement chain of the wheremyflow.com-tracker site. No audience measurement data covered by this DPA is transmitted to Scaleway.

No sub-processor is located outside the EU/EEA. No data transfer to a third country may occur without prior amendment to this agreement.

The Processor imposes on each sub-processor, by contract, the same data protection obligations as those set out in this agreement, in accordance with GDPR Article 28(4).

Article 6 — Data subject rights

The Processor assists the Controller in responding to data subject requests (access, rectification, erasure, portability, objection, restriction). Most of these rights are structurally respected by the architecture:

  • Right to object: Sec-GPC and DNT signals honored; local opt-out flag (localStorage.wml_optout); opt-out button or link to be integrated by the Controller into the site's privacy policy.
  • Right to erasure: immediate erasure button in the Compliance tab (CASCADE on all tables).
  • Right to portability: CSV/PDF export of all aggregated statistics available in the dashboard.

Article 7 — Security

In accordance with GDPR Article 32, the Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • TLS encryption of communications across the entire chain (ingest and dashboard).
  • Administrator authentication via Argon2id password hashes (OWASP 2024 parameters).
  • Anonymization via HMAC-SHA256 with monthly-rotated salt (retired salt atomically deleted at rotation, Plausible/Fathom doctrine — no way to re-hash after rotation), site component (site_id) and temporal component (day-of-date).
  • Application-level separation of ingest (public) and dashboard (authenticated) accesses.
  • Rate-limiting 50 requests/minute/IP on ingest (IP not stored).
  • Short retention of raw events (90 days).
  • Graduated k-anonymous aggregation server-side on all endpoints and exports: exact global counters, k=2 URLs/events, k=5 demographics, k=10 city and ≥3 dimension cross-tabulations.
  • Filtering of bots and crawlers upstream of audience measurement processing.
  • ISO/IEC 27001:2022 certified hosting (Clever Cloud, datacenters in France).

Article 8 — Data breach notification

In the event of a personal data breach, the Processor notifies the Controller without undue delay and, in any event, within a maximum of 48 hours of becoming aware of the incident, to enable the Controller to comply with its own 72-hour notification deadline towards the supervisory authority (GDPR Article 33).

Where the initial assessment of the breach is not complete within this period, the Processor sends a provisional notification within 24 hours of becoming aware of the incident, then completes its analysis as it progresses.

The notification includes:

  • the nature of the breach, including, where possible, the categories and approximate number of data subjects and data records concerned;
  • the name and contact details of the DPO;
  • the likely consequences of the breach;
  • the measures taken or proposed to remedy the breach and, where appropriate, mitigate its negative effects.

_Source: GDPR Articles 33 and 34._

Article 9 — End of processing

At the end of the service, on written instruction from the Controller and at its choice, the Processor:

  • (a) returns all data to the Controller or a third party designated by it, in a structured, commonly used and machine-readable format; or
  • (b) proceeds to definitive erasure of the data.

An erasure certificate is provided on request within 30 days.

Article 10 — Records of processing activities

The Processor keeps a record of all categories of processing activities carried out on behalf of the Controller, in accordance with GDPR Article 30(2). This record is made available to the supervisory authority on simple request.

Article 11 — Applicable law and jurisdiction

This agreement is governed by French law. Any dispute relating to its interpretation or performance falls within the exclusive jurisdiction of French courts.

Signatures

| | | | --------- | ------------------------------------------ | | Done at | [To be filled] | | On | [Date of signature] | | Originals | In two original copies, one for each party |

The Controller [To be filled by client: name, position, signature]

The Processor — Frédéric GAVEAU EI (wheremyflow) [To be filled: name, position, signature]

_Source: GDPR Article 28 and CNIL framework "Cookies: solutions for audience measurement tools", deliberation of 4 July 2025._