GDPR Compliance & Data Processing Agreement
Last Updated on January 21, 2026.
This document outlines our commitment to GDPR compliance and establishes the Data Processing Agreement between SAS MULTIPL and users of the DashLynk service.
Part A: GDPR Compliance Statement
1. Our Commitment to GDPR
SAS MULTIPL ("we", "us", "DashLynk") is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all applicable data protection laws. As a company headquartered in France, we operate under the supervision of the French data protection authority (CNIL).
2. Data Controller vs. Data Processor
Under GDPR, our role depends on the context:
| Context | Our Role | Your Role |
|---|---|---|
| Your Account Data (email, billing, usage) | Data Controller | Data Subject |
| Your Clients' Data (chat logs, end-user info) | Data Processor | Data Controller |
When you use DashLynk to manage chatbots for your clients, you are the Data Controller for your clients' personal data, and we act as your Data Processor under this Agreement.
3. GDPR Principles We Follow
We adhere to all GDPR principles as outlined in Article 5:
- Lawfulness, Fairness, and Transparency - We process data lawfully, fairly, and transparently.
- Purpose Limitation - We collect data only for specified, explicit, and legitimate purposes.
- Data Minimization - We process only the data necessary for the intended purpose.
- Accuracy - We take reasonable steps to ensure personal data is accurate and up to date.
- Storage Limitation - We retain data only as long as necessary for the processing purposes.
- Integrity and Confidentiality - We implement appropriate security measures to protect personal data.
- Accountability - We can demonstrate compliance with these principles.
4. Legal Basis for Processing (Article 6)
We process personal data based on the following legal grounds:
- Contract Performance (Art. 6(1)(b)) - To provide the DashLynk service and manage your account.
- Legitimate Interests (Art. 6(1)(f)) - For security, fraud prevention, and service improvement.
- Legal Obligations (Art. 6(1)(c)) - To comply with applicable laws (e.g., French accounting requirements).
- Consent (Art. 6(1)(a)) - For optional marketing communications and non-essential cookies.
5. Data Subject Rights
We respect and facilitate all data subject rights under GDPR:
| Right | GDPR Article | How We Support It |
|---|---|---|
| Right of Access | Art. 15 | You can request a copy of your personal data |
| Right to Rectification | Art. 16 | You can update inaccurate data via your account or by request |
| Right to Erasure | Art. 17 | You can delete your account and request data deletion |
| Right to Restriction | Art. 18 | You can request we limit processing in certain circumstances |
| Right to Data Portability | Art. 20 | You can export your data in a machine-readable format |
| Right to Object | Art. 21 | You can object to processing based on legitimate interests |
| Rights Related to Automated Decision-Making | Art. 22 | We do not engage in automated decision-making or profiling |
To exercise these rights, contact us at [email protected].
6. International Data Transfers
Your data is primarily hosted within the European Union (Amsterdam, Netherlands). When transfers outside the EEA are necessary (e.g., for certain sub-processors), we ensure adequate protection through:
- EU Standard Contractual Clauses (SCCs) as approved by the European Commission
- Adequacy decisions where applicable
- Additional safeguards as required by GDPR Chapter V
Part B: Data Processing Agreement (DPA)
Pursuant to GDPR Article 28
1. Preamble
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Principal Agreement") between SAS MULTIPL ("Processor") and the User/Agency ("Controller") regarding the use of the DashLynk services.
By using DashLynk to process Personal Data on behalf of your own clients, you agree to the terms of this DPA. This DPA is entered into pursuant to Article 28 of the GDPR and constitutes the written instructions from the Controller to the Processor.
2. Definitions
- "Controller": You, the Agency/User determining the purposes and means of processing personal data.
- "Processor": SAS MULTIPL (DashLynk), processing data on behalf of the Controller.
- "Personal Data": Any information relating to an identified or identifiable natural person (e.g., chat logs, emails, names).
- "Sub-processor": Any third-party service provider engaged by the Processor to process Personal Data.
- "Data Subject": An identifiable natural person whose Personal Data is processed.
- "Processing": Any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
3. Scope and Purpose of Processing
3.1. Subject Matter
The Processor shall process Personal Data on behalf of the Controller to provide the DashLynk white-label dashboard service.
3.2. Duration
Processing will continue for the term of the Principal Agreement (your subscription) and any applicable data retention period thereafter.
3.3. Nature and Purpose
- Storage, display, and management of chatbot conversation logs
- Facilitating communication between the Controller and their end-clients
- Providing analytics and reporting on chatbot interactions
3.4. Categories of Data Subjects
- The Controller's end-clients
- Users interacting with chatbots managed through DashLynk
3.5. Types of Personal Data
- Names and contact information (email addresses)
- IP addresses and approximate location data
- Conversation contents and chat history
- Any other data submitted through chatbot interactions
4. Obligations of the Processor
SAS MULTIPL agrees to:
4.1. Processing Instructions
Process Personal Data only on documented instructions from the Controller (i.e., via your use of the Dashboard features), unless required by applicable law. If we are required by law to process Personal Data, we will inform the Controller of that legal requirement before processing, unless prohibited by law.
4.2. Confidentiality
Ensure that all persons authorized to process Personal Data:
- Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Process the Personal Data only in accordance with the Controller's instructions
4.3. Security Measures (Article 32)
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience
- Ability to restore availability and access to Personal Data in a timely manner
- Regular testing, assessment, and evaluation of security measures
Full details are provided in Annex 2.
4.4. Sub-processing
- Obtain prior general authorization from the Controller to engage Sub-processors (hereby granted)
- Maintain a list of current Sub-processors (see Section 6.2 of this document)
- Inform the Controller of any intended changes to Sub-processors with at least 14 days' notice
- Ensure Sub-processors are bound by the same data protection obligations as set out in this DPA
4.5. Data Subject Assistance
Assist the Controller, insofar as possible, in fulfilling its obligation to respond to requests for exercising Data Subject rights, including:
- Access requests
- Rectification requests
- Erasure requests ("Right to be forgotten")
- Data portability requests
- Restriction or objection requests
4.6. Security Incident Assistance
Assist the Controller in ensuring compliance with security obligations, data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities (Articles 32-36 GDPR).
4.7. Data Breach Notification
Notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a Personal Data breach affecting the Controller's data. The notification shall include:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach
4.8. Data Deletion or Return
At the choice of the Controller, upon termination of the Principal Agreement:
- Delete all Personal Data and existing copies, unless EU or Member State law requires storage; or
- Return all Personal Data to the Controller in a commonly used, machine-readable format (JSON or CSV)
The Controller may request data return or deletion by contacting [email protected].
5. Obligations of the Controller
The Controller agrees to:
- Ensure that Personal Data is collected and processed in compliance with applicable data protection laws.
- Provide lawful processing instructions to the Processor.
- Obtain all necessary consents from Data Subjects where required.
- Inform the Processor of any relevant Data Subject requests or inquiries.
- Maintain appropriate records of processing activities under their responsibility.
6. Sub-processors
6.1. General Authorization
The Controller grants general authorization to the Processor to engage Sub-processors for the performance of the Service.
6.2. Current Sub-processors
The following is the authoritative list of Sub-processors we use to deliver the Service:
| Sub-processor | Location | Purpose |
|---|---|---|
| Railway | Amsterdam, Netherlands | Application hosting and storage infrastructure |
| MongoDB | Frankfurt, Germany | Database storage and management |
| Cloudflare | Global (EU jurisdiction) | CDN, security protection, and storage |
| Loops.so | United States | Transactional emails and account communications |
| Google Analytics | United States | Website usage tracking and analytics |
| Stripe | United States / Global | Payment processing and subscription management |
6.3. Changes to Sub-processors
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 14 days before such changes take effect.
The Controller may object to such changes on reasonable data protection grounds within 14 days of notification. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected services.
7. International Transfers
Data is primarily hosted within the European Union (Amsterdam, Netherlands).
If Personal Data is transferred to a country outside the European Economic Area (EEA):
- Such transfer shall be protected by appropriate safeguards as required by GDPR Chapter V
- This includes EU Standard Contractual Clauses (SCCs) for transfers to Sub-processors in the US
- The Processor shall ensure that the third country provides adequate protection or that appropriate safeguards are in place
8. Audit Rights
8.1. Information Access
Upon written request, the Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28.
8.2. Audits and Inspections
The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to:
- Reasonable advance notice (minimum 30 days)
- Confidentiality obligations
- The audit being conducted at the Controller's expense
- The audit not disrupting the Processor's operations
9. Liability
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement (Terms of Service), except that nothing in this DPA shall limit either party's liability for:
- Breaches of its confidentiality obligations
- Its indemnification obligations
- Violations of applicable data protection laws
Annex 1: Details of Processing
| Element | Description |
|---|---|
| Subject Matter | Provision of the DashLynk white-label dashboard service |
| Duration | The term of the Principal Agreement (Subscription) plus applicable retention periods |
| Nature and Purpose | Storage, display, and management of chatbot conversation logs; facilitating Controller-client communications |
| Categories of Data Subjects | The Controller's end-clients and users interacting with chatbots |
| Types of Personal Data | Names, email addresses, IP addresses, location data, conversation contents |
| Special Categories of Data | None intentionally processed; Controller must not submit sensitive data without prior arrangement |
Annex 2: Technical and Organizational Security Measures
The Processor implements the following measures to ensure data security in accordance with GDPR Article 32:
1. Encryption
| Measure | Implementation |
|---|---|
| Data at rest | AES-256 encryption |
| Data in transit | TLS 1.2 or higher (SSL certificates) |
| Database encryption | Encrypted at rest via cloud provider |
2. Access Control
| Measure | Implementation |
|---|---|
| Authentication | Multi-factor authentication (MFA) required for all staff |
| Authorization | Role-based access control (RBAC) with principle of least privilege |
| Access logging | All access to production systems is logged and monitored |
| Password policy | Strong password requirements enforced |
3. Availability and Resilience
| Measure | Implementation |
|---|---|
| Backups | Regular automated backups with point-in-time recovery |
| Redundancy | Redundant infrastructure across availability zones |
| Disaster recovery | Documented disaster recovery procedures |
| Uptime monitoring | 24/7 monitoring with automated alerting |
4. Vulnerability Management
| Measure | Implementation |
|---|---|
| Patching | Regular security updates and patching of all systems |
| Code review | Security-focused code reviews before deployment |
| Dependency scanning | Automated scanning of dependencies for vulnerabilities |
| Penetration testing | Periodic security assessments |
5. Organizational Measures
| Measure | Implementation |
|---|---|
| Confidentiality agreements | All personnel bound by confidentiality obligations |
| Training | Regular data protection and security awareness training |
| Incident response | Documented incident response procedures |
| Data protection policies | Internal policies governing data handling |
Contact
For any questions about this GDPR Compliance Statement or Data Processing Agreement, please contact:
SAS MULTIPL
10 rue de la Bourse
75002 Paris, France
Email: [email protected]