Data Processing Agreement
Last updated: December 2025
This data processing agreement (hereinafter the "Data Processing Agreement" or "DPA") is made by and between GETPULSE SAS, a simplified joint stock company established under the laws of France, with a shares capital of Eur. 20,000, registered under number 991 305 160 RCS Paris, whose registered office is located at 26, rue Surcouf 75007 Paris - France ("GOODWEEK") and the customer (the "Customer" or "You") whose contact details appear on the dated and signed subscription form (the "Subscription Form"), whereby GOODWEEK has granted the Customer the right to use the Solution", in accordance with GOODWEEK's Terms.
GOODWEEK and the Customer shall hereinafter be referred to collectively as the "Parties" and individually as a "Party".
Preamble
GOODWEEK has designed, developed and owns an original software platform enabling its users to exchange information using synthetic tools based on its, and various artificial intelligence solutions (the "Solution").
GOODWEEK and the Customer have entered an agreement for the provision of the Solution and associated services to the Customer and its End Users (the "Terms") and, in connection with requirements of such Terms, GOODWEEK may have to process certain personal data on behalf of the Customer.
Pursuant to Data Protection Laws (as defined below), GOODWEEK and the Customer have to enter a written agreement setting out the rights and obligations with regard to the processing of Personal Data.
Therefore, the Parties have agreed to enter into this Data Processing Agreement to set out the details and provision of the Solution in accordance with the Data Protection Laws.
Article 1 – Definitions
In this Data Processing Agreement, the terms and expressions preceded with a capital letter shall have the meaning set forth in the Terms or as follows:
"Personal Data" means all personal Data (defined by Data Protection Laws) used by the Customer with the Solution;
"Data Controller" has the meaning given to that term (or to the term "controller") in Data Protection Laws. As per the terms of this Data Processing Agreement, the Data Controller is the Customer;
"Data Processor" has the meaning given to that term (or to the term "processor") in Data Protection Laws. As per the terms of this Data Processing Agreement, the Data Processor is GOODWEEK;
"Data Protection Laws" means all applicable law binding on the Customer and GOODWEEK in relation to the Solution under the Terms including: (i) the GDPR and/or any corresponding or equivalent national laws or regulations; and (ii) in member states of the European Union, all relevant laws or regulations giving effect to or corresponding with the GDPR;
"Data Subject" has the meaning given to that term in Data Protection Laws;
"Data Subject Request" means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
"EEA" means the European Economic Area;
"GDPR" means the General Data Protection Regulation (EU) 2016/679;
"Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data;
"Personnel" means any current, former or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel;
"Processing" has the meanings given to that term in Data Protection Laws (and related terms such as "Process" or "Processed" have corresponding meanings);
"Sub-Processor" means another Data Processor engaged by GOODWEEK on behalf of the Customer for carrying out processing activities in respect of the Personal Data.
"Supervisory Authority" means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
Any other defined terms used in this Data Processing Agreement shall have the meaning ascribed them in the main body of the Terms.
Article 2 – Purpose of the Data Processing Agreement
The Purpose of this Data Processing Agreement is, as per the terms of Data Protection Laws, set out the terms relating to the Process of Personal Data in the course of the use of the Solution. This Data Processing Agreement applies only to the extent that Processed Personal Data originates from the EEA and/or that is otherwise subject to Data Protection Laws.
Article 3 – Data processing provisions
The Parties agree that, in respect of Personal Data used in the course of the use of the Solution, the Customer shall be the Data Controller, defining solely which Personal Data shall be used with the Solutions and for which purposes, and GOODWEEK shall be the Data Processor, acting only on behalf of the Customer and as per the Customer's instructions.
It is acknowledged that the Customer shall have sole responsibility for the accuracy, quality, integrity and reliability of any Personal Data and of the means by which it acquired such Personal Data.
The Customer warrants, represents and undertakes, that: (i) all Personal Data used in connection with the Solution under the Terms shall comply in all respects with Data Protection Laws; (ii) all instructions given by it to GOODWEEK in respect of Personal Data shall at all times be in accordance with Data Protection Laws; (iii) it has obtained all necessary consents from any Data Subject whose personal data is included within the Personal Data or otherwise has the appropriate legal permission to provide the Personal Data to GOODWEEK; and (iv) it will comply with the terms of this Data Processing Agreement.
GOODWEEK warrants, represents and undertakes, that it shall (i) process the Personal Data only to the extent necessary in connection with the Terms ; and (ii) process the Personal Data in accordance with the Customer’s documented instructions and the requirements of Data Protection Laws; (iii) promptly inform the Customer if GOODWEEK considers that the Customer’s instructions infringe Data Protection Laws, or if GOODWEEK becomes unable to comply with Customer's instructions regarding the processing of Personal Data (whether as a result of a change in applicable law, or a change in Customer’s instructions); and (iv) comply with the terms of this Data Processing Agreement.
Article 4 - Instructions and details of processing
The Processing of Personal Data to be carried out by GOODWEEK under this Data Processing Agreement shall comprise the Processing set out in Annex 1 (Data Processing Details) as may be updated from time to time by agreement between the Parties but which shall be limited to the provision of the Solution in the Terms.
Article 5 - Technical and organizational measures
GOODWEEK shall implement and maintain, at its cost and expense, appropriate technical and organizational measures in relation to the Processing and security of Personal Data in accordance with Data Protection Laws and in accordance with Articles 32-34 of the GDPR in particular.
GOODWEEK shall ensure that such technical and organizational measures are appropriate to the particular risks that are presented by its Processing activities, in particular to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access.
Customer acknowledges that such security measures are subject to technical progress and evolution and that GOODWEEK may update or modify the security measures from time to time provided that such updates and modifications maintain a similar or higher level of protection of the overall security of the Solution.
GOODWEEK shall implement and maintain, at its cost and expense, the technical and organizational measures as set out in Annex 2 which are subject to technical progress and further development. In this respect, GOODWEEK may implement alternative adequate measures without notification to the Customer. The security level of the technical and organizational measures will not be reduced, and substantial changes will be documented by GOODWEEK and shown to Customer upon request.
Article 6 – Customer's Responsibility
The Customer is responsible for its secure use of the Solution. It is the Customer's responsibility to implement technical or organization measures in relation to its Data including as regards its configuration of the Solution, and, notably, to backup and archive appropriately its Data in order to restore availability and access to such Data in a timely manner in the event of a physical or technical incident; and to take any appropriate measure to manage access to, securely encrypt, anonymize or pseudonymize any Personal Data uploaded to the Solution.
Article 7 Sub-processors
7.1 GOODWEEK shall not subcontract all or part of the Processing of Personal Data to another entity without the written authorization of the Customer.
7.2 GOODWEEK undertakes to impose on any Sub-Processor obligations substantially similar as those set out in this Data Processing Agreement, by including these obligations in the agreement which will be concluded between GOODWEEK and any authorized Sub-Processor. In particular, the agreement must include an obligation for the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Applicable Data Protection Laws
7.3 The Customer hereby grants GOODWEEK a general authorization to engage Sub-Processors for the performance of the processing activities described in this Data Processing Agreement. The current list of approved Sub-Processors engaged by GOODWEEK is set out in Annex 3 (the “List of Sub-Processors”). GOODWEEK shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors in a timely manner, thereby giving the Customer the opportunity to object to such changes.
7.4 It is understood by the Parties that when the Customer chose to use the Solution in "non hosted mode", GOODWEEK shall provide the Services in an open environment, meaning that, in this case, Customer shares its Personal Data to the relevant AI Models and GOODWEEK is not responsible for the operation of the AI Models provided by third parties and that and GOODWEEK provides no warranty in this regard. It is therefore understood that AI Models are not Sub-Processor and the processing of Customer’s personal data shall be governed by data processing agreement between the Customer and relevant AI Model.
If the Customer choses to use the Solution in "hosted mode", GOODWEEK shall provide the Services through its own cloud solutions providers, as listed in Annex 3, meaning that GOODWEEK shall not share Personal Data with selected AI Models providers. Nevertheless, some Personal Data may be shared with AI Models depending on how the Solution is configured by the Customer and how the Solution is used, if the requests or prompts form the End-Users themselves contain Personal Data, and if these requests or prompts require an open web search. In such circumstances these requests or prompts (and any Personal Data they may contain) are shared with the relevant AI Models (listed in Annex 3) but excluding Personal Data relating to End-Users or to the Customer, and although it is being noted that the relevant AI Models shall not retain any Personal Data nor any requests or prompts (zero retention mode).
Article 8 - Assistance with the Customer’s compliance and Data Subject rights
GOODWEEK shall promptly refer all Data Subject Requests it receives to the Customer. GOODWEEK shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of Processing and the information available to GOODWEEK) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to: (i) the security of Processing; (ii) data protection impact assessments (as such term is defined in Data Protection Laws); (iii) prior consultation with a Supervisory Authority regarding high risk Processing; and (iv) notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach, provided that, in the event that such assistance is disproportionate in time and resources to GOODWEEK, Customer shall pay GOODWEEK’s fees for providing such assistance.
Article 9 - International data transfers
GOODWEEK shall not transfer Personal Data outside the EEA or outside a third country which the European Commission considers has an adequate level of protection, without prior consent of Controller. In any event, the Parties shall comply with any requirement of Applicable Laws before accessing Personal Data from or transferring Personal Data to a country or area different from the country or area in which it was collected or otherwise Processed.
The Solution clearly indicates the AI Models for which, on an exceptional basis, data may be processed outside the EEA (even with the same cloud service provider that operates other AI Models), so that the Customer can easily deselect the AI Model in question to ensure that its Personal Data are not exported outside the EEA or a country offering equivalent protection.
In all cases, and in the event of data transfer outside the EEA or a country offering equivalent protection, GOODWEEK shall ensure that such transfer complies with Applicable Laws.
Article 9 - Records, information and audit
GOODWEEK shall: (i) create; (ii) keep up-to-date; and (ii) maintain full and accurate records relating to all Processing of Personal Data.
GOODWEEK shall grant to the Customer the right of audit, no more than 1 (once) per calendar year and on a minimum of 30 (thirty) days written notice, during normal business hours and subject to reasonable confidentiality undertakings being given, to access and take copies of such records relating to Processing of Personal Data and shall provide all reasonable assistance to the Customer in exercising its audit rights.
This audit right shall not extend to any third-party data center or other third-party facility housing any server equipment where only visual and accompanied inspection is permitted. In any calendar year, the Customer may conduct an additional audit in case of a Personal Data Breach or upon request by a Data Protection Authority.
GOODWEEK shall at the Customer’s request promptly provide the Customer with all information necessary to enable the Customer to demonstrate compliance with its obligations under Data Protection Laws, to the extent that GOODWEEK is able to provide such information.
Article 10 - Breach notification
In respect of any Personal Data Breach, GOODWEEK shall, without undue delay: (i) notify the Customer of the Personal Data Breach; and (ii) provide the Customer with details of the Personal Data Breach and the steps GOODWEEK has taken (or is proposing to take) to remedy the Personal Data Breach.
Article 11 - Deletion or return of Personal Data and copies
If GOODWEEK has any knowledge of and/or any control over the Personal Data, GOODWEEK shall, at the Customer’s written request, either delete or return all the Personal Data to the Customer in such form as the Customer reasonably requests within a reasonable time after the earlier of: (i) the end of the provision of the relevant Services under the Agreement related to Processing; or (ii) once Processing by GOODWEEK of any Personal Data is no longer required for the purpose of GOODWEEK’s performance of its relevant obligations under this Data Processing Agreement, and delete existing copies (unless storage of any Personal Data is required by applicable law and, if so, GOODWEEK shall inform the Customer of any such requirement).
GOODWEEK shall procure that its Sub-Processors shall undertake the same actions with regard to Personal Data.
In the event that Personal Data remains within GOODWEEK’s possession or control for any period longer than 12 (twelve) months without any active instructions from the Customer, GOODWEEK shall delete such Personal Data.
Article 12 – Indemnity
Each Party (the "Indemnifying Party") shall indemnify and keep indemnified the other Party (the "Indemnified Party") in respect of all claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages suffered or incurred by, awarded against or agreed to be paid by, the Indemnified Party arising from or in connection with the Indemnifying Party’s non-compliance with this Data Processing Agreement and/or breach of Data Protection Laws.
Article 13 – Liability
The total liabilities of either Party under this Data Processing Agreement shall in no event exceed the contractual limits set out and agreed in the Terms.
Article 14 - Term and Termination
Unless terminated by agreement of the Parties, this Data Processing Agreement shall commence on the Effective Date and continue in force for so long as GOODWEEK continues to process Personal Data pursuant to the Terms.
Article 15 – GOODWEEK's DPO's references
GOODWEEK has appointed a Data Protection Officer, whose contact information are: David Masson, GOODWEEK SAS, 19 rue de Wissembourg, 67000 Strasbourg, France ; privacy@goodweek.com
ANNEX 1
DATA PROCESSING DETAILS
Data subjects: any individual whose Personal Data are used within the Solution by an End-User
Customer Personal Data Categories: any kind of Personal Data that an End-User decides to use within the Solution
Nature and Purpose: the nature and purpose of the processing of Customer Personal Data is to provide the Solution and the associated Services as per GOODWEEK's terms.
Duration: the duration of the Processing corresponds to the term of the Terms.
Processing Operations: the personal data transferred will be subject to the following basic processing activities: collection, consultation, semi-automatic and/or automatic processing, extraction, conservation, storage, analysis, deletion, hosting.
ANNEX 2
TECHNICAL AND ORGANIZATIONAL (SECURITY) MEASURES
Measures of pseudonymisation and encryption of personal data
All our APIs & web interface can only be accessed via HTTPS and encrypted by TLS and with access controlled by secret API key
All external HTTP communications are protected by TLS 1.2 as a minimum.
All databases have encryption at rest enabled. The algorithm used is aes-xts-plain64 with a key size of 256 bits and hashed using SHA-256. This method is considered secure and standard in the industry. To reduce the attack surface, each instance of each database has its own cryptographic key to protect its data. The keys are stored in a database which is encrypted and protected by authentication.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
2FA is enforced on all systems that allow it
We implement multi-layered network security controls to protect customer data. Production systems and sensitive resources are accessed through encrypted, authenticated channels (SSH tunnels), ensuring data confidentiality and integrity in transit.
A stateful firewall infrastructure is being deployed at the Internet entry point of the company’s cloud network to mitigate known and ongoing threats. All inbound and outbound traffic is restricted to that which is required for the personal data environment. All inbound network traffic is blocked by default, unless explicitly allowed.
We maintain network segmentation between any wireless networks and the personal data environment, and implement additional isolation between development, staging, and production systems.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Security policies in place: information security policy, incident response plan, data breach policy, Business Continuity and Disaster Recovery plan Policy (BCDR)
Annual tabletops to test the incident response plan and BCDR policy
Backups are tested annually for integrity
Backups are stored encrypted
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Annual penetration tests by external third party
Annual security training for all the employees
Acknowledgement of the Information Security Policy and code of Conduct by all the employees
Annual review of all the internal policies
Annual risk assessment exercise done to identify and mitigate the risks in the company in terms of data & information security
Annual testing of the main policies (incident response plan and BCDR plan)
Measures for user identification and authorisation
2FA enabled on all the systems that allow it
Identification of “super administrators” employees, in charge of granting and removing the accesses and reviewing access rights twice a year
User access review performed twice a year
Accesses are provided using the role-based rules and least privilege principle
Measures for the protection of data during transmission
All external HTTP communications are protected by TLS 1.2 as a minimum
Measures for the protection of data during storage
Firewalls in place
Anti-virus set up by default on all the computers and laptops
Measures for ensuring physical security of locations at which personal data are processed
Entrance controlled by keys and badges
Only authorized personnel have access to create, alter, and revoke access badges/keys
Accesses reviews are performed twice a year
A visitor log is used to document visitor access to secure areas of the organization’s facility
Measures for ensuring events logging
All API calls and user actions are automatically logged and retained for 1 year.
Measures for ensuring system configuration, including default configuration
Documents written to describe the standard configurations for infrastructure systems, workstations and laptops
Procedures in place to ensure configurations for infrastructure systems, servers, workstations and laptops (deployment checklists…)
Measures for internal IT and IT security governance and management
Our security program is managed through a structured governance framework with clearly defined responsibilities:
Chief Executive Officer (CEO): Provides executive sponsorship and ultimate oversight of the company's security posture.
Head of Engineering: Designs and approves technical security policies as well as approves all systems to be used in engineering production. Oversees the successful implementation of technical security controls within the organization.
IT team: Implement and monitor the security controls in place in the company
Measures for certification/assurance of processes and products
Risk assessment is conducted annually
All internal policies are reviewed annually
Annual SOC2 (SOC 2 Type 1 in process)
Measures for ensuring data minimisation
Data is processed according to GDPR principles
Goodweek takes a privacy-by-default approach minimizing the risk of capturing sensitive or personal data
Measures for ensuring data quality
Regular checks with automated testing are performed to make sure the data is consistent with data observability
Backups are stored encrypted
Measures for ensuring limited data retention
Data retention policy according GDPR
Regular reviews are conducted by the Legal & Compliance team
Measures for ensuring accountability
Data protection by design and by default approach
Designated DPO
Risk assessments are conducted every 6 months
Measures for allowing data portability and ensuring erasure
Individual rights privacy policy written and reviewed annually
Workflows in place to answer the personal data requests coming from any individual with the support of the Legal & Compliance Department
ANNEX 3
List of Sub-Processors
Amazon Web Services Inc
410 Terry Avenue, North Seattle, WA 98109, USA
Contact
+1-206-266-1000
aws-EU-privacy@amazon.com
Details of the services provided
Hosting and AI Models provider; AI Infrastructure and Raw document storage.
https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/welcome.html
https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html
Location
EU/USA (Only for the AI Models listed below (if open web searches activated))
Stripe
354 Oyster Point Boulevard, South San Francisco, California, 94080, USA (Stripe Legal)
EU representative : Stripe Technology Company Limited, One Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland (Stripe Legal)
Contact
dpo@stripe.com
privacy@stripe.com
Details of the services provided
Payment, billing and services provider
Location
EU/USA
Scalingo SAS
13 rue Jacques Peirotes, 67000 Strasbourg (France)
Contact
dpo@scalingo.com
Details of the services provided
Hosting. Servers & database provider.
Location
EU
Sentry Software Netherlands B.V.
Schiphol Boulevard 359, 1118 BJ, Amsterdam Schiphol, Netherland
Contact
compliance@sentry.io
Details of the services provided
Solution monitoring, Error tracking
https://sentry.io/security/ ; Privacy Policy 3.3.2 (October 29, 2025) | Sentry
Location
EU
AI Models (zero data retention)
OpenAI L.L.C.
1455 3rd Street, San Francisco, CA 9458, USA
Contact
privacy@openai.com
Details of the services provided
AI Models provided
Location
EU/USA
