Kimoun Kimoun

Data Processing Agreement — Kimoun

Kimoun’s Data Processing Agreement under Article 28 GDPR, applicable to all services involving the processing of personal data on behalf of the Client. Transversal annex to the General Terms and Conditions and to all Specific Terms.

🇫🇷 Lire en français : Accord de sous-traitance RGPD — Kimoun (DPA)

English translation provided for convenience. This English version is provided as a courtesy and for ease of reading only. In case of any discrepancy, ambiguity, or contradiction between this English translation and the French version, the French version (« Accord de sous-traitance RGPD Kimoun ») available at /legals/cgv/dpa/ shall prevail as the sole legally binding reference text.

Usage note. Document compliant with Article 28 of the General Data Protection Regulation (GDPR), formalising the processing terms between the Client (controller) and Kimoun (processor) for any Service involving the processing of personal data on behalf of the Client. Transversal annex to the General Terms and Conditions of Kimoun and to all applicable Specific Terms (Consulting and Web Services, Domain Names and DNS, Managed Services and Web Hosting, Zimbra Email Services, Printing). To be reviewed by a lawyer or legal counsel before publication.

Data Processing Agreement — Kimoun  

Article 1 — Preamble and purpose  

1.1 Context  

Within the framework of the Services it performs on behalf of the Client under the General Terms and Conditions of Kimoun (GTC) and the applicable Specific Terms (ST), Kimoun may be required to process personal data on behalf of the Client.

This agreement (hereinafter “DPA” for Data Processing Agreement) formalises the terms of such processing, in accordance with Article 28 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter the “GDPR”) and with the French Data Protection Act No. 78-17 of 6 January 1978 as amended.

1.2 Contractual articulation  

This DPA:

  • supplements the GTC (in particular Article 5) and the Specific Terms applicable to each Service;
  • prevails over the GTC and the ST for any question relating to the processing of personal data;
  • enters into force upon signature or acceptance of the first Kimoun Quote involving the processing of personal data on behalf of the Client.

1.3 Capacity of the Parties  

  • The Client acts as controller within the meaning of Article 4(7) of the GDPR.
  • Kimoun acts as processor within the meaning of Article 4(8) of the GDPR.

When, exceptionally, Kimoun itself determines the purposes and means of a processing, it acts as a controller and this DPA does not apply to such particular processing (which is governed by Kimoun’s privacy policy).

Article 2 — Definitions  

The terms used in this DPA have the meaning given to them in Article 4 of the GDPR. In particular, the following definitions are retained:

  • Personal data: any information relating to an identified or identifiable natural person.
  • Processing: any operation performed on personal data.
  • Controller: the person who determines the purposes and means of the processing.
  • Processor: the person who processes personal data on behalf of the controller.
  • Sub-processor: processor engaged by the processor to carry out all or part of the processing.
  • Data subject: natural person whose personal data is processed.
  • Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • CNIL: Commission Nationale de l’Informatique et des Libertés, the French supervisory authority.

Article 3 — Description of the processing activities  

The general characteristics of the processing activities carried out by Kimoun on behalf of the Client are as follows, depending on the Service considered.

3.1 For Consulting, Web Services, SEO and Editorial Support Services (ST Consulting and Web Services)  

ItemDescription
NatureCollection, consultation, structuring, storage and restitution of data within the framework of deliverables (audits, recommendations, content, configurations)
PurposesPerformance of contractual consulting, audit, accompaniment and implementation services
Categories of dataProfessional data, website traffic and usage data, data of the Client’s prospects or clients if transmitted for study
Categories of data subjectsVisitors and users of the Client’s sites, prospects and clients of the Client, employees of the Client
DurationDuration of the engagement, extended by the archiving period provided for in Article 11

3.2 For Domain Name and DNS Services (ST Domain Names and DNS)  

ItemDescription
NatureCollection, transmission and storage of data necessary for the registration, renewal and management of domain names and for DNS configuration
PurposesRegistration, renewal, administrative and technical management of domain names; DNS configuration
Categories of dataIdentification data of the Registrant, administrative, technical and billing contacts
Categories of data subjectsRegistrant, contacts designated by the Client
DurationDomain registration duration, extended by the archiving period provided for in Article 11

3.3 For Managed Services and Web Hosting (ST Managed Services and Web Hosting)  

ItemDescription
NatureHosting, administration, supervision, backup and restoration of data stored in the environment administered on behalf of the Client
PurposesProvision and operational maintenance of the Client’s hosting environment
Categories of dataAll personal data contained in the sites, applications and databases of the Client (variable depending on the Client’s usage)
Categories of data subjectsVariable depending on the Client’s usage: visitors, customers, prospects, employees, application users
DurationDuration of the Service, extended by the retention period provided for in Article 11

3.4 For Zimbra Email Services (ST Zimbra Email)  

ItemDescription
NatureMarketing and coordination of the email service; no direct access by Kimoun to message content
PurposesProvision and continuity of the email service for the benefit of the Client
Categories of dataAccount identifiers, configuration data; message contents processed exclusively by the underlying operator (OVH)
Categories of data subjectsUsers of the Client’s mailboxes, possible correspondents
DurationDuration of the Service, extended by the retention period provided for in Article 11

3.5 For Printing and Print Products Services (ST Printing)  

ItemDescription
NatureReception, technical processing and printing of files provided by the Client
PurposesProduction of the ordered printed materials
Categories of dataData present in the files to be printed (variable depending on the medium: contact details, photos, nominative lists, etc.)
Categories of data subjectsVariable depending on the content provided by the Client
DurationDuration of order execution, extended by the technical archiving period provided for in the ST Printing

3.6 Specific detail per engagement  

When the engagement has particular characteristics (significant volume, sensitive data, specific purposes), a detailed description is annexed to the Quote and supplements the general characteristics above.

Article 4 — Obligations and rights of the Client (controller)  

The Client undertakes to:

  • document in writing any instruction given to Kimoun relating to the processing of personal data;
  • ensure that the instructions given comply with the provisions of the GDPR and any applicable legislation;
  • ensure that data subjects have been informed under the conditions provided for in Articles 12 to 14 of the GDPR;
  • warrant that it has an appropriate legal basis for each processing entrusted (consent, contractual performance, legal obligation, legitimate interest, etc.);
  • supervise the processing, in particular through the audits and controls provided for in Article 12 of this DPA;
  • notify Kimoun, as soon as possible, of any evolution of the purposes or categories of processing likely to affect the subcontracted services.

The Client remains responsible for the prior evaluation, in particular through the realisation of a Data Protection Impact Assessment (DPIA) when required by Article 35 of the GDPR.

Article 5 — Obligations of Kimoun (processor)  

In accordance with Article 28(3) of the GDPR, Kimoun undertakes to:

5.1 Process data only on documented instructions from the Client  

Kimoun processes personal data only on documented instructions from the Client, as established by the GTC, the ST, the Quote, this DPA or any subsequent written instructions from the Client.

Kimoun immediately informs the Client if, in its opinion, an instruction constitutes a breach of the GDPR or of other provisions of Union or national law.

Kimoun does not transfer personal data to a third country or international organisation, unless required to do so by applicable law, in which case it informs the Client beforehand.

5.2 Ensure confidentiality  

Kimoun ensures that persons authorised to process personal data commit to respecting confidentiality, either by written undertaking or by virtue of a legal confidentiality obligation.

5.3 Implement security measures (Article 32 GDPR)  

Kimoun implements appropriate technical and organisational measures to ensure a level of security adapted to the risk, in particular:

  • pseudonymisation and encryption of data when relevant (systematic in-transit encryption, at-rest encryption depending on the services);
  • means to ensure the confidentiality, integrity, availability and resilience of systems;
  • means to restore the availability of data in case of incident (backups, recovery plan);
  • a procedure to test, analyse and regularly evaluate the effectiveness of technical and organisational measures;
  • an access management policy (authentication, traceability, least privilege principle);
  • a security update policy for administered components (see ST Managed Services Article 5.3).

The detail of the measures applicable per activity is set out in Annex A to this DPA.

5.4 Conditions for engaging sub-processors  

Kimoun shall not engage any new sub-processor without specific or general prior written authorisation from the Client.

In the case of general authorisation, Kimoun informs the Client of any planned change concerning the addition or replacement of a sub-processor, thereby giving the Client the opportunity to raise objections within thirty (30) days of the notification.

The list of authorised sub-processors as at the date of signature is set out in Annex B to this DPA. The Client hereby gives general authorisation for the use of the sub-processors listed in this annex, as well as for any evolution notified in accordance with this article.

Kimoun imposes on its sub-processors contractual obligations equivalent to those of this DPA, in particular regarding security and data protection.

5.5 Assistance to the Client for data subject rights  

Kimoun assists the Client, through appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights (rights of access, rectification, erasure, restriction, portability, objection, rights relating to automated decisions — Articles 12 to 22 of the GDPR).

When a request is sent directly to Kimoun, Kimoun transmits it without delay to the Client and does not respond to it itself, unless authorised by the Client.

5.6 Assistance to the Client for obligations under Articles 32 to 36 GDPR  

Kimoun assists the Client in complying with its obligations regarding:

  • security of processing (Article 32);
  • notification of personal data breaches (Articles 33 and 34);
  • Data Protection Impact Assessments (Article 35);
  • prior consultation with the supervisory authority (Article 36).

Taking into account the information available to it, the assistance is provided within reasonable limits relevant to its role as processor.

5.7 Notification of personal data breaches  

Kimoun notifies the Client of any personal data breach affecting the data processed on its behalf, as soon as possible and at the latest within seventy-two (72) hours of becoming aware of it.

The notification includes, as far as possible:

  • the nature of the breach (categories and approximate number of data subjects and data records concerned);
  • the likely consequences;
  • the measures taken or proposed to remedy the breach;
  • the contact details of Kimoun’s point of contact.

When this information cannot be provided within 72 hours, it shall be provided in phases, without undue delay.

It is the Client’s responsibility, as controller, to proceed, where applicable, to notification to the CNIL (Article 33 GDPR) and communication to data subjects (Article 34 GDPR).

5.8 Return and deletion of data at the end of the Service  

At the Client’s choice, Kimoun deletes or returns the personal data processed on its behalf at the end of the Service, as well as any existing copy, save for provisions of Union or national law requiring retention.

Unless otherwise specified in writing by the Client, deletion takes place within a maximum period of thirty (30) days following the end of the Service. A certificate of deletion may be issued to the Client upon request.

5.9 Making information available and audit  

Kimoun makes available to the Client all information necessary to demonstrate compliance with the obligations of this DPA and to allow audits, including inspections, by the Client or any other auditor mandated by the Client. The audit terms are specified in Article 12.

5.10 Records of processing activities  

In accordance with Article 30(2) of the GDPR, Kimoun maintains a record of processing activities carried out on behalf of the Client, containing the information required by the GDPR. This record is made available to the supervisory authority upon request.

Article 6 — Sub-processors  

6.1 Authorised list  

The Client expressly authorises Kimoun to use the sub-processors listed in Annex B for the performance of the Services.

6.2 Main sub-processor: OVH  

Kimoun’s main sub-processor is OVH SAS (operating under the brand OVHcloud), for hosting, infrastructure and Zimbra email services activities. OVH’s GDPR commitments, published on ovhcloud.com — “Legal documents” section, apply to the subcontracting chain, and the Client is invited to take note of them.

6.3 Changes to sub-processors  

Any addition or replacement of a sub-processor is notified to the Client by email, with reasonable advance notice. The Client has a period of thirty (30) days to object to this change, providing reasons.

In case of substantiated objection, the Parties consult in good faith to find a solution. Failing agreement, the Client may terminate the affected Service in accordance with the termination terms provided for in the GTC and the applicable ST.

6.4 Obligations imposed on sub-processors  

Kimoun ensures that any sub-processor is subject to obligations equivalent to those of this DPA, in particular regarding security, confidentiality and notification of personal data breaches.

Kimoun remains fully liable to the Client for the performance by the sub-processor of its obligations regarding data protection.

Article 7 — Data location and transfers outside the EU  

7.1 Primary location  

The data processed by Kimoun is, unless an exception is expressly validated by the Client, located in the European Union:

  • data processed on OVH’s infrastructure is stored in OVH’s European data centres (in practice, in France for the centres of Roubaix, Strasbourg, Gravelines, or in other countries of the European Union);
  • administrative and commercial management data processed directly by Kimoun is retained in France.

7.2 Transfers outside the EU  

No data transfer to a third country located outside the European Economic Area is carried out without:

  • an adequacy decision from the European Commission within the meaning of Article 45 of the GDPR; or
  • appropriate safeguards within the meaning of Article 46 of the GDPR, in particular the standard contractual clauses adopted by the European Commission post-Schrems II; or
  • another derogation provided for in Article 49 of the GDPR, subject to prior information of the Client.

7.3 Remote access  

Administration, support or supervision operations may occasionally require access from French or European territory, by authorised personnel. No access from a third country is carried out without the application of the appropriate safeguards referred to in Article 7.2.

Article 8 — Security of processing  

8.1 General measures  

Kimoun implements the technical and organisational measures described in Article 5.3 and detailed in Annex A, in proportion to:

  • the nature, scope, context and purposes of the processing;
  • the risk to the rights and freedoms of the data subjects.

8.2 Evolution of measures  

The measures are periodically reassessed and updated according to the evolution of risks, technology and sectoral best practices.

8.3 Subsidiarity with the underlying operator’s measures  

When the Service involves a sub-processor (in particular OVH), the security measures of this operator are in addition to those implemented directly by Kimoun and contribute to the overall security level.

Article 9 — Notification of personal data breaches  

9.1 Detection and qualification  

Kimoun implements reasonable means to detect, qualify and trace personal data breaches affecting the processing carried out on behalf of the Client.

9.2 Notification procedure  

Any personal data breach is notified to the Client in accordance with Article 5.7 of this DPA. The notification is sent to the GDPR point of contact designated by the Client, or failing that to the contractual referent.

9.3 Cooperation  

Kimoun cooperates fully with the Client to enable, where applicable:

  • the notification of the breach to the CNIL pursuant to Article 33 of the GDPR;
  • communication to data subjects pursuant to Article 34 of the GDPR;
  • any corrective or remedial measure.

9.4 Documentation  

Any breach, including its circumstances, its effects and the measures taken, is documented by Kimoun, in accordance with Article 33(5) of the GDPR. This documentation is made available to the Client and to the supervisory authority upon request.

Article 10 — Data subject rights  

10.1 Prior information of data subjects  

The information of data subjects (Articles 12 to 14 of the GDPR) is the responsibility of the Client, as controller. Kimoun may, upon request, provide the Client with the information necessary for drafting the information notice when Kimoun intervenes in the processing chain.

10.2 Requests sent to Kimoun  

When a data subject sends a request to exercise their rights directly to Kimoun, Kimoun transmits it without delay to the Client.

Kimoun only responds to the data subject to confirm the transmission of their request to the controller and to invite them to contact the controller.

10.3 Technical assistance  

Kimoun provides the Client, within reasonable limits, with the technical assistance necessary for the effective exercise of rights (extraction, rectification, deletion, portability, restriction).

Article 11 — Retention period and end of processing  

11.1 During the Service  

Kimoun retains personal data for the period strictly necessary for the execution of the Service, in accordance with the Client’s instructions.

11.2 At the end of the Service  

At the Client’s choice, expressed in writing, Kimoun:

  • returns to the Client all personal data at the end of the Service, in a common and interoperable format, and deletes the copies;
  • deletes all personal data at the end of the Service and certifies this deletion to the Client upon request.

Unless otherwise specified by the Client within thirty (30) days following the end of the Service, Kimoun proceeds with the deletion of the data.

By way of exception, Kimoun may retain certain data for the legal period when this is imposed by applicable law, in particular:

  • accounting documents: ten (10) years (Article L.123-22 of the French Commercial Code);
  • elements justifying the performance of invoiced services: for the applicable legal period.

This retention is limited to strictly necessary data for the invoked legal purpose and excludes any other use.

Article 12 — Audit and inspection  

12.1 Right of audit  

The Client may, at its own expense and at most once a year, except in particular justified cases (security incident, suspicion of breach, authority request), proceed with an audit or have an audit carried out by an independent third party it mandates, in order to verify compliance with this DPA.

12.2 Terms  

The audit is the subject of prior information of at least fifteen (15) business days, except in justified emergency, and is carried out:

  • during Kimoun’s business hours;
  • without unreasonable disruption of activity;
  • in respect of the confidentiality of Kimoun’s other clients;
  • after signing a confidentiality undertaking by the auditors.

12.3 Documentary audits  

For routine audits, Kimoun may propose a documentary mechanism (audit questionnaire, certificate, copy of certifications) meeting the reasonable requirements of the Client.

12.4 Reports and follow-up  

The audit report is communicated to Kimoun, which has a reasonable time to formulate its observations and, where applicable, implement the identified corrective actions.

Article 13 — Liability  

13.1 Principle  

Each Party is liable for breaches attributable to it under this DPA, in accordance with the conditions provided for in Article 82 of the GDPR and applicable law.

13.2 Limitation of liability  

Subject to mandatory provisions, Kimoun’s liability under this DPA is capped under the conditions provided for in the Specific Terms applicable to the Service at the origin of the dispute.

This limitation does not apply in case of:

  • gross or wilful misconduct by Kimoun;
  • characterised breach of the mandatory provisions of the GDPR;
  • bodily harm.

13.3 Sub-processors  

Kimoun remains fully liable to the Client for the performance by its sub-processors of data protection obligations. Any possible recourse by Kimoun against its sub-processors does not suspend either Kimoun’s liability or the Client’s rights.

Article 14 — Duration, modification, end of the DPA  

14.1 Duration  

This DPA enters into force on the date of acceptance of the first Kimoun Quote involving the processing of personal data and remains applicable throughout the duration of the Services requiring it.

14.2 Modifications  

This DPA may be modified by amendment signed by the Parties, in particular to integrate:

  • applicable legislative and regulatory developments (GDPR, French Data Protection Act, Data Act, etc.);
  • evolutions of recommendations from the CNIL and the European Data Protection Board (EDPB);
  • evolutions of sectoral standards.

Any evolution is notified to the Client in writing and takes effect according to the terms agreed between the Parties.

14.3 End of the DPA  

This DPA ends:

  • upon cessation of all Kimoun Services involving the processing of personal data;
  • or by denunciation by either Party for serious breach by the other, after formal notice that has remained without effect for thirty (30) days.

The obligations relating to the deletion or restitution of data (Article 11) and to the retention for legal obligations survive the end of this DPA.

Article 15 — Articulation with the GTC and ST of Kimoun  

This DPA constitutes a transversal annex to the General Terms and Conditions of Kimoun (GTC) and to all applicable Specific Terms (ST) of Kimoun Services.

In case of contradiction between this DPA and the GTC / ST on questions of personal data processing alone, this DPA shall prevail.

The overall order of precedence defined in Article 3.3 of the GTC is thus adapted as follows for matters falling under this DPA:

  1. The signed Quote and its amendments
  2. This DPA (for personal data processing matters)
  3. The applicable Specific Terms
  4. The General Terms and Conditions
  5. Other annexes

Article 16 — Applicable law and jurisdiction  

This DPA is governed by French law and the Regulation (EU) 2016/679.

In accordance with Article 12 of the GTC, any dispute relating to this DPA shall be subject to a prior attempt at amicable resolution. Failing this, it shall be subject to the exclusive jurisdiction of the courts of Pointe-à-Pitre.

Annex A — Technical and organisational security measures  

The technical and organisational measures implemented by Kimoun include, in proportion to the risks and depending on the Services:

A.1 Technical measures  

  • In-transit encryption of communications (TLS 1.2 minimum, TLS 1.3 when available);
  • At-rest encryption of sensitive data when relevant and technically available;
  • Strong authentication of administrative accesses (SSH keys, two-factor authentication when relevant);
  • Compartmentalisation of client environments;
  • Firewalls and anti-bruteforce mechanisms;
  • Regular security updates of administered components, in accordance with the patch policy (see ST Managed Services Article 5.3);
  • Backups of data according to the terms defined in each ST;
  • Logging of accesses and sensitive operations;
  • Supervision of security events.

A.2 Organisational measures  

  • Confidentiality undertaking signed by any person authorised to process the data;
  • Principle of least privilege in the granting of accesses;
  • Access management procedure (opening, modification, revocation);
  • Incident management procedure and notification of breaches;
  • Documentation of processing activities and maintenance of a register in accordance with Article 30 of the GDPR;
  • Regular awareness-raising on data protection;
  • Periodic evaluation of security measures.

A.3 Underlying operator’s measures  

The measures implemented by OVH as a sub-processor are in addition to Kimoun’s measures and include in particular: physical security of data centres, redundancy, continuity plans, applicable certifications (ISO 27001, SecNumCloud where applicable, HDS for the relevant services). The detailed commitments of OVH are published on ovhcloud.com.

Annex B — List of authorised sub-processors  

As at the date of entry into force of this DPA, the authorised sub-processors are as follows:

Sub-processorRoleActivities concernedPrimary location
OVH SAS (OVHcloud)Hosting, infrastructure, Zimbra emailManaged services and web hosting; Zimbra email; DNS management when hosted with OVHFrance / European Union
[Third-party registrar] (to be completed if applicable)Domain name registrationDomains and DNS (for extensions not managed via OVH)Variable depending on the extension
[Partner printer] (to be completed if applicable)Printing subcontractingPrinting and print products (for volumes or techniques exceeding own means)France / European Union

Any modification of this list is notified to the Client under the conditions of Article 6.3.

Reminder. This English version is provided as a courtesy translation only. The French version of this DPA is the sole legally binding reference text. In case of any conflict between the two versions, the French version shall prevail.

Kimoun Data Processing Agreement — version 1.01 — entered into force on 28 April 2026
Kimoun — Route de Boisvin, 97160 Le Moule — SIRET 477 746 275 00031 — oliver@kimoun.comkimoun.com

On this page: