← Back to home

Data Processing Addendum (DPA)

Standard agreement governing Conformaze’s processor relationship under article 18.3 of Quebec’s Law 25 / article 28 GDPR.

Version 1.0.0Effective since April 28, 2026

When you use Conformaze to process personal information for which your organization is controller, Conformaze acts as processor under article 18.3 of Quebec’s Law 25 and article 28 GDPR. This page makes our generic Data Processing Addendum (DPA) available for execution with each client organization.

Conformaze DPA — version 1.0.0

Printable HTML document (export to PDF from your browser), bilingual FR/EN, ready to sign.

Download the generic DPA (v1.0.0, EN)

1. What does the DPA cover?

  • Scope: all personal information your organization processes in Conformaze (ROPA, EFVPs, DSARs, incidents, uploaded files, etc.).
  • Duration: the lifetime of your active subscription, plus the post-termination retention period defined in our Terms.
  • Nature and purpose of processing: delivery of the features described on our Features page, plus hosting, backup, support and logging activities.
  • Data categories: professional identities, content produced by your team and — depending on your use cases — data about the data subjects whose processing you document.

2. Conformaze’s commitments as processor

  • process data only on the documented instructions of the Client;
  • ensure that any person with access to the data is bound by a written confidentiality undertaking;
  • implement the technical and organizational measures described in Annex II of the DPA (encryption, MFA, RBAC, audit logging, restore tests, etc.);
  • engage only sub-processors listed on our Subprocessors page, with 30-day prior notice before any addition;
  • assist the Client with data subject rights handling and incident notification (72-hour CAI deadline);
  • upon termination, return or destroy the data per the Client’s choice, within the agreed deadlines.

3. How to execute the DPA

  1. Download the document using the button above. The HTML format is printable and supports manual or electronic signature.
  2. Complete Annex I with your organization’s details (legal name, business number, contact, scope).
  3. Sign and return the document to dpo@conformaze.com. We countersign within 5 business days and send back the executed copy.
  4. For organizations using an e-signature tool (DocuSign, Acrobat Sign, Yousign…), you may initiate the workflow on your side and we will align with it.

4. Changes to the DPA

Any substantial change to the DPA is notified to the Client at least 30 days before its effective date. Previous versions are preserved and remain available on request from the Privacy Officer.

5. Questions?

For any question about the DPA, please contact dpo@conformaze.com. For specific organizational needs (additional clauses, geographic restrictions, audit rights), feel free to reach out — the generic version is the contractual floor, never the ceiling.

You may also consult our Law 25 transparency page to understand our personal information protection practices and complaints procedure.